search

SAP / risk-explorer-for-software-supply-chains

A taxonomy of attacks on software supply chains in the form of an attack tree, based on and linked to numerous real-world incidents and other resources. The taxonomy as well as related safeguards can be explored using an interactive visualization tool.
https://sap.github.io/risk-explorer-for-software-supply-chains/
Apache License 2.0
71 stars 14 forks source link

Description of AV-208 is hard to understand #91

Closed copernico closed 5 months ago

copernico commented 1 year ago

Without some context or an example, the description of AV-208 is hard to understand. In particular, it is unclear what it means to "omit the scope" (what scope? omit from where?) I suspect this might be only relevant for some ecosystems?

henrikplate commented 1 year ago

Old description of AV-208, Omitting Scope or Namespace: This technique consists of taking the name of a package with scope (or namespace) and publishing it without the scope.

Proposed change: Some package repositories support namespaces as optional element of a package identifier. Each user and organization on npm, for instance, has its own scope. Namespaces are typically used by individuals, organizations or projects to group and manage multiple artifacts, and indicate ownership to potential consumers. Attackers can publish a package with identical name but without namespace in the hope that victims wrongly believe it comes from the trusted organization or project.

piergiorgioladisa commented 5 months ago

Closing the issue as it has been fixed by @henrikplate