asraa
commented
2 years ago Are there better alternatives? https://github.com/gibson042/canonicaljson-go also doesn't seem active
Closed naveensrinivasan closed 2 years ago
asraa
commented
2 years ago Are there better alternatives? https://github.com/gibson042/canonicaljson-go also doesn't seem active
trishankatdatadog
commented
2 years ago Right: to me, a project doesn't necessarily need to be active to remain secure. Having said that, it does look like go-tuf and go-in-toto may need to maintain its own canonicalization library in go-securesystemslib @adityasaky @lukpueh
naveensrinivasan
commented
2 years ago Right: to me, a project doesn't necessarily need to be active to remain secure.
The project doesn't get updates on its dependencies which is a red flag. How does the project handle zero days when the project isn't active and no one to respond or take care of?
adityasaky
commented
2 years ago Hmm, I just looked at what in-toto-golang uses, and it looks like @lukpueh ported encode_canonical from python-sslib here: https://github.com/in-toto/in-toto-golang/blob/master/in_toto/canonicaljson.go. I propose creating a go-sslib/cjson package and moving this there. I also found https://github.com/in-toto/in-toto-golang/pull/47 where re-using this in other implementations was discussed.
trishankatdatadog
commented
2 years ago Hmm, I just looked at what in-toto-golang uses, and it looks like @lukpueh ported
encode_canonicalfrom python-sslib here: https://github.com/in-toto/in-toto-golang/blob/master/in_toto/canonicaljson.go. I propose creating a go-sslib/cjson package and moving this there. I also found in-toto/in-toto-golang#47 where re-using this in other implementations was discussed.
Naveen, this seems like the best course of action. Perhaps you can help us with this?
naveensrinivasan
commented
2 years ago Sorry, I don't have the bandwidth. One recommendation I would recommend fuzzing that package especially.
trishankatdatadog
commented
2 years ago Sorry, I don't have the bandwidth. One recommendation I would recommend fuzzing that package especially.
While fuzzing is important, I think it would take about the same effort to correctly set it up as to move to our own canonicalization code.
This project is archived and hasn't been updated in the last 9 years. This is a risk.
jsonparsing and marshaling is hard and could have potential issues.https://github.com/theupdateframework/go-tuf/blob/52193a283c302acaeb39bf8045292815abc568c6/sign/sign.go#L4
https://github.com/tent/canonical-json-go