open-telemetry / sig-security

Apache License 2.0
7 stars 10 forks source link

Prevent supply chain attacks in open-telemetry repositories #58

Open marcalff opened 3 months ago

marcalff commented 3 months ago

Today, opentelemetry-cpp got an attack in the form of:

This PR is deleted already, audit trail shows:

File Changes

([5 files](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files))

    M [.gitattributes](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-618cd5b83d62060ba3d027e314a21ceaf75d36067ff820db126642944145393e) (11)
    A [.yamato/bin/python-3.11.5-embed-amd64.zip](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-f5ac278b83378ade50ded6f9cc57a4f0e9d1108a1ea7f8dcdef4f3688bfd0104) (3)
    A [.yamato/main.yml](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-792110253ce7d624130d2119785a277aeb0ac0847ac1497ebbc3119273820062) (61)
    A [.yamato/scripts/build.ps1](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-001b58f0bc08fd2f98c2694df66277be766efd689816ac6b9eeca30a93d04d2a) (118)
    A [.yamato/scripts/build.sh](https://github.com/open-telemetry/opentelemetry-cpp/pull/3018/files#diff-cee5ccc59f492b371e08172ebf50b3a4be4b08170d6210c88408a44cf15efb16) (55)

I would like to add logic to find executable files and/or files that contain binary, to audit the code, and ring bells when this happens, should the PR (hypocrite commit) pass code review and be merged.

The problem is that if this logic itself is part of CI scripts located in the opentelemetry-cpp repository, any PR that wants to inject code will just disable or alter the scripts as well, making this useless.

Where could be a good place to have audit tools to scan for executables or data files, in each open-telemetry repositories ?

Related:

cc @open-telemetry/cpp-maintainers

jpkrohling commented 3 months ago

I believe this is the role of CodeQL / Snyk. They can be integrated either via GitHub workflow, or as application. I can work with you to onboard opentelemetry-cpp on Snyk and see if that would have caught this situation.

jpkrohling commented 3 months ago

@marcalff, can you ping me via Slack? I'll need your email address in order to invite you to the Snyk organization. Once you are there, I'll include opentelemetry-cpp there for scanning. You should be able to make it a required check if you wish afterwards.