We had basically nothing security-related in CI before the Hacken report. During the Hacken report remediation period, we started improving on our security stance, by adding a few tools in CI, most notably, code coverage and dependency auditing for known vulnerabilities.
Why should NEAR One work on this
However, we are still lacking in quite a few domains. In particular, we currently only check that we have no known vulnerable dependencies in our dependency list, but we do not even have a cursory glance at the source code of dependencies, so a supply chain attack introducing a backdoor would be relatively easy to perform against us. It is to mitigate this that we do not upgrade dependencies too often. But, due to this mitigation, our dependency management story is basically random.
We should thus at least set up cargo vet or cargo crev in order to make sure at least someone we trust, not necessarily us, has already had a cursory glance on the source code of our dependencies.
In addition to this, this project also suggests looking through the whole rust ecosystem, to find tools that could help us improve our security stance. The rust-secure-code list can probably help find some
What needs to be accomplished
Set up cargo-vet or similar
Read through the rust-secure-code list and more generally internet, looking for interesting projects to integrate into nearcore
Integrate the projects found
Consider adding similar CI improvements to the rainbow bridge
Main use case
With CI enforcing additional security checks, we could get new guarantees, and thus make nearcore more secure for a relatively low cost.
Links to external documentations and discussions
None
Estimated effort
The estimated time is 1-2 month-person. The security team, currently @Ekleog-NEAR, can work on it. Depending on the number of interesting projects found, the estimated time could go either down to 1-2 weeks, or up to a number that would depend on how many and how interesting the projects are.
Assumptions
None
Pre-requisites
None
Out of scope
None
Task list
### Tasks
- [ ] Set up `cargo-vet` or similar
- [ ] Read through the rust-secure-code list and more generally internet, looking for interesting projects to integrate into nearcore
- [ ] Integrate the projects found
- [ ] consider adding similar CI improvements to the rainbow bridge
Goals
Background
We had basically nothing security-related in CI before the Hacken report. During the Hacken report remediation period, we started improving on our security stance, by adding a few tools in CI, most notably, code coverage and dependency auditing for known vulnerabilities.
Why should NEAR One work on this
However, we are still lacking in quite a few domains. In particular, we currently only check that we have no known vulnerable dependencies in our dependency list, but we do not even have a cursory glance at the source code of dependencies, so a supply chain attack introducing a backdoor would be relatively easy to perform against us. It is to mitigate this that we do not upgrade dependencies too often. But, due to this mitigation, our dependency management story is basically random.
We should thus at least set up cargo vet or cargo crev in order to make sure at least someone we trust, not necessarily us, has already had a cursory glance on the source code of our dependencies.
In addition to this, this project also suggests looking through the whole rust ecosystem, to find tools that could help us improve our security stance. The rust-secure-code list can probably help find some
What needs to be accomplished
cargo-vetor similarMain use case
With CI enforcing additional security checks, we could get new guarantees, and thus make nearcore more secure for a relatively low cost.
Links to external documentations and discussions
None
Estimated effort
The estimated time is 1-2 month-person. The security team, currently @Ekleog-NEAR, can work on it. Depending on the number of interesting projects found, the estimated time could go either down to 1-2 weeks, or up to a number that would depend on how many and how interesting the projects are.
Assumptions
None
Pre-requisites
None
Out of scope
None
Task list