From 43bc3a4d36f06532ad0755447a4e55b1bcc96a61 Mon Sep 17 00:00:00 2001 From: Meder Kydyraliev <1212257+meder@users.noreply.github.com> Date: Tue, 29 Oct 2024 15:16:20 +1100 Subject: [PATCH 1/2] Update mitigation section for the Dependency Confusion threat. Signed-off-by: Meder Kydyraliev <1212257+meder@users.noreply.github.com> --- docs/spec/draft/threats.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/spec/draft/threats.md b/docs/spec/draft/threats.md index d541533f6..bd3a1e285 100644 --- a/docs/spec/draft/threats.md +++ b/docs/spec/draft/threats.md @@ -775,9 +775,18 @@ The consumer requests a package that it did not intend. on the victim's internal registry, and wait for a misconfigured victim to fetch from the public registry instead of the internal one. -**TODO:** fill out the rest of this section +*Mitigation:* The mitigation is for the software producer to build internal +packages on a SLSA Level 2+ compliant build system and define expectations for +build provenance. Expectations must be verified on installation of the internal +packages. If a misconfigured victim attempts to install attacker's package with +an internal name but from the public registry, then verification against +expectations will fail. + +For more information see [Verifying artifacts](https://slsa.dev/spec/v1.1/verifying-artifacts) +and [Defender's Perspective: Dependency Confusion and Typosquatting Attacks](https://slsa.dev/blog/2024/08/dep-confusion-and-typosquatting). +
Typosquatting *Threat:* Register a package name that is similar looking to a popular package From a75a5fea97e46ab542ac2945c7bcdc4d74a2a73d Mon Sep 17 00:00:00 2001 From: Meder Kydyraliev <1212257+meder@users.noreply.github.com> Date: Tue, 29 Oct 2024 15:23:20 +1100 Subject: [PATCH 2/2] Make href relative. Signed-off-by: Meder Kydyraliev <1212257+meder@users.noreply.github.com> --- docs/spec/draft/threats.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/spec/draft/threats.md b/docs/spec/draft/threats.md index bd3a1e285..592251890 100644 --- a/docs/spec/draft/threats.md +++ b/docs/spec/draft/threats.md @@ -782,8 +782,8 @@ packages. If a misconfigured victim attempts to install attacker's package with an internal name but from the public registry, then verification against expectations will fail. -For more information see [Verifying artifacts](https://slsa.dev/spec/v1.1/verifying-artifacts) -and [Defender's Perspective: Dependency Confusion and Typosquatting Attacks](https://slsa.dev/blog/2024/08/dep-confusion-and-typosquatting). +For more information see [Verifying artifacts](/spec/v1.1/verifying-artifacts) +and [Defender's Perspective: Dependency Confusion and Typosquatting Attacks](/blog/2024/08/dep-confusion-and-typosquatting).