Security discussion: dependencies as an attack vector.

[EarthlingDavey]

What do you think about reviewing the current dependencies?

One in particular stands out, that we are using 2 custom dory images, maintained by relatively unknown developers.

I would appreciate a chat, about the following points:

• Could/should we build and host these 2 specific images, to prevent a supply chain attack?
• Should we consider pinning versions (or hash) of 'unpopular' images, instead of pulling latest?
• How would we know if a dependency had a security issue? Could we use image scanning services?
• In terms of NodeJS, should we make use of the permissions model to define which folders can be read/written etc.?
• For composer, I believe there is a meta package that will prevent install of a bad package, can we explore this?

While I understand moving quickly with this migration is important, could we have security as an equal priority?

[wilson1000-MoJ]

I love this Davey! Let's have a chat today about improving our position here. Your suggestion focused on keeping a copy of our own and using security plugins to manage our protection sounds like a good route to follow.

[wilson1000-MoJ]

Thanks for the chat @EarthlingDavey.

Moving forward; in a bid to handle CVEs to support us in preventing supply chain attacks, we have agreed to merge the 2 repos under a new repository; https://github.com/ministryofjustice/dory-dnsmasq:

1. https://github.com/FreedomBen/dory-dnsmasq (fork)
2. https://github.com/4km3/docker-dnsmasq (merge)

This will allow us to fix the reported vulnerabilities, namely:

Our repo will use GitHub Actions to build multi-arch images in Docker Hub, for use across the estate and the wider open-source tech community.