Artifactory: set up XRAY to block download of vulnerable packages

[Jose-Matsuda]

From https://github.com/StatCan/daaas/issues/607

Set up a rule to block downloads for Artifacts with a vulnerability severity of "High" or greater.

[Jose-Matsuda]

I've been looking around at how to do some scanning for CRAN and conda-forge but it seems like they are not natively supported by XRAY.

There appears to be a solution known as jake https://github.com/sonatype-nexus-community/jake https://ossindex.sonatype.org/ https://pypi.org/project/jake/ that may help with this. Will probably post around forums to see what others have seen and tried

[Jose-Matsuda]

I have set up the policy and the watch for PyPi.

As for CRAN and conda-forge I will be looking into how they evaluate their packages in regards to vulnerabilities and the like to see if this is something that can possibly be kept in mind. I know Blair has mentioned that the people over at CRAN are selective in what they choose to have.

[Jose-Matsuda]

RStudio Support article from last month about package security.

Couple of key points in the "considerations" area

1) CRAN requires all submitted R packages to pass a series of checks prior to accepting them into the CRAN repository. While these tests do not specifically target malicious code, the tests provide a significant hurdle to uploading malicious packages to CRAN. 2) R code is almost always executed as a non-privileged user. The majority of R code especially code run in RStudio Server Pro or RStudio Connect, is executed on behalf of a restricted service or user accounts.

The other two considerations are for "RStudio Package Manager".

The packages do go through automated checking with results shown here

[Jose-Matsuda]

Few quick notes with meeting with Jonathan.

CRAN

He echoes the sentiment of the folks over at CRAN being generally good at keeping their packages safe. He notes that there are tools within the R ecosystem that look up vulnerabilities and could wrap that and let it check packages (though from what I know those are premium / not free). Also mentioned oysteR which is open source but where you can make calls to their vulnerability database but the rate is limited somewhat.

CONDA

Similar to oyster there is jake with the same rate-limiting capabilities on their OSS index.

Extra thoughts

These two open source resources provided by the sonatype community I have a couple concerns about. 1) These run on an already running environment that already has said package installed.
2) Rate limiting on requests made (not sure how many we can make after creating an account).

Upon signing up for an account I can see more detailed info on what they have on a package and vulnerabilities like and in my exploration it seems that https://nvd.nist.gov/vuln/search is a source for many of said vulnerabilities. "JFrog Xray is open for integration with any number of issue and vulnerability providers." So maybe could set up something but I'm unsure if making an integration would still allow cran or conda packages to be scanned

Might want to spend a bit of time fleshing out these ideas in a meeting as I'm not too sure myself on any best plans of action.

[Jose-Matsuda]

Will close this as specifically for PyPi as well as some investigation into CRAN and Conda-forge for which we will need to speak with the JFROG folks about it. New issue for Conda and CRAN will be linked to this issue