New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: analyze dependencies for malicious behavior #59091
security: analyze dependencies for malicious behavior #59091
Conversation
@varunsh-coder Thank you for submitting this PR! I see this is your first time submitting to DefinitelyTyped 👋 — I'm the local bot who will help you through the process of getting things through. This is a live comment which I will keep updated. This PR touches some part of DefinitelyTyped infrastructure, so a DT maintainer will need to review it. This is rare — did you mean to do this? 0 packages in this PR (and infra files)
Code ReviewsThere aren't any other owners of this package, so a DT maintainer will review it. You can test the changes of this PR in the Playground. Status
Once every item on this list is checked, I'll ask you for permission to merge and publish the changes. Diagnostic Information: What the bot saw about this PR{
"type": "info",
"now": "-",
"pr_number": 59091,
"author": "varunsh-coder",
"headCommitOid": "6323f8d65ef5f734e6889b97534df79e3d95ad39",
"mergeBaseOid": "772aa755179639b32de9c6bb8c2154a6bfadb2b8",
"lastPushDate": "2022-03-03T15:32:57.000Z",
"lastActivityDate": "2022-03-03T15:39:55.000Z",
"hasMergeConflict": false,
"isFirstContribution": true,
"tooManyFiles": false,
"hugeChange": false,
"popularityLevel": "Well-liked by everyone",
"pkgInfo": [
{
"name": null,
"kind": "edit",
"files": [
{
"path": ".github/workflows/CI.yml",
"kind": "infrastructure"
}
],
"owners": [],
"addedOwners": [],
"deletedOwners": [],
"popularityLevel": "Critical"
}
],
"reviews": [],
"mainBotCommentID": 1058169291,
"ciResult": "pass"
} |
🔔 @varunsh-coder — there are no owners, but it would still be good if you find someone to review this PR in the next few days, otherwise a maintainer will look at it. (And if you do find someone, maybe even recruit them to be a second owner to make future changes easier...) |
Thanks for the (automated??) PR, but this isn't something we'd like to add to the actions at this time. |
Hi @RyanCavanaugh it was not automated :). I had created it manually. No problem. Request you to please share feedback though, e.g. what are your concerns in adding it, that will be really helpful. Thanks! |
I don't see how this meaningfully improves the security posture of a project, and it increases the surface area in the process by virtue of being another component. How does someone hijack a dependency?
Once the dependency is hijacked, how does this help?
|
Thanks @RyanCavanaugh for the comments. I should have provided more clarity when creating PR. There are different scenarios. In this case, my intent was to detect hijacked/ malicious dependencies as was the case in these past incidents (listed below). The scenario being that as part of normal dependency version updates in the package.json/ package-lock.json file, a new version of one of the dependency packages may be compromised. Or it may be that someone accidentally uses a typo-squatted library in the package.json. In all these cases, an immediate outbound call was made, typically to an IP address, as part of the
For the scenario of vscode-write-access attack, and increase surface area, I had set the token permissions to JFYI, since you have good knowledge of these past attacks, also wanted to share this issue where we are trying to investigate setting node policy to restrict API access for dependencies. The analysis on past incidents that I shared above was done as part of this issue. Request you to please share ideas on this as well. |
This PR
contents: read
. This is a security best practice and gets you are higher Scorecard score. You can use https://app.stepsecurity.io to automate some of the fixes, such as pinning actions to commit SHA...harden-runner GitHub Action detects hijacked dependencies and compromised build tools. It correlates outbound traffic with each step of the workflow so you can see what processes are calling what endpoints. This is the analysis when run on a fork: https://app.stepsecurity.io/github/varunsh-coder/DefinitelyTyped/actions/runs/1928867032
You can restrict traffic to the allowed endpoints for future runs which will block calls that compromised dependencies typically make, and an annotation will be shown in such cases. You do not need to grant any permission or install any App to use this, and the action (and agent the action uses) are open source.
Information on how harden-runner could have detected past package hijacks can be found here: https://github.com/step-security/supply-chain-goat. Do share feedback to improve the harden-runner GitHub Action developer experience. Thanks!
Please fill in this template.
npm test <package to test>
.Select one of these and delete the others:
If adding a new definition:
.d.ts
files generated via--declaration
dts-gen --dt
, not by basing it on an existing project.tslint.json
should contain{ "extends": "@definitelytyped/dtslint/dt.json" }
, and no additional rules.tsconfig.json
should havenoImplicitAny
,noImplicitThis
,strictNullChecks
, andstrictFunctionTypes
set totrue
.If changing an existing definition:
If removing a declaration:
notNeededPackages.json
.