search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.77k stars 671 forks source link

Is the new 14.2.7 clear enough? #1746

Closed tghosth closed 1 year ago

tghosth commented 1 year ago

14.2.7 was added in this PR.

# Description L1 L2 L3 CWE
14.2.7 [ADDED] Verify that third party components are sourced separately from internally owned and developed applications. 441

It is followed by the following note:

Note: Certain languages and package managers, have ecosystems that require the identification of packages using multiple factors (e.g groupId and artifactId). This would allow the build process to more specifically identify a resource. In other cases, package managers operate by the order of repositories or mirrors included. Consult your package managers to specifically indicate search order.

Do we think this requirement is clear enough or could it be made clearer?

Any thoughts @joubin?

ImanSharaf commented 1 year ago

@tghosth is it here to avoid dependency confusion?

elarlang commented 1 year ago

Original issue: https://github.com/OWASP/ASVS/issues/899 - why not to re-open the issue for clarification?

I'm not sure the chosen CWE suits here - CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')

tghosth commented 1 year ago

Fair one @elarlang, I will close this and move discussion back to #899