You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2023/06/19 16:38:59 UTC
[Bug 66658] New: Reference GitHub Actions and Docker Images by SHA
https://bz.apache.org/bugzilla/show_bug.cgi?id=66658
Bug ID: 66658
Summary: Reference GitHub Actions and Docker Images by SHA
Product: Tomcat 11
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Packaging
Assignee: dev@tomcat.apache.org
Reporter: diogoteles@google.com
Target Milestone: -------
Hi!
I'm Diogo and I work on Google's Open Source Security
Team([GOSST](https://github.com/diogoteles08#about-gosst-ghost)) in cooperation
with the Open Source Security Foundation ([OpenSSF](https://openssf.org/)). My
core job is to suggest and implement security changes on widely used open
source projects 😊
I'm here to ask if you are interested in a PR to hash pin the Actions you call
in your GitHub Workflows, and the docker images you use on your docker files.
This is the only way to guarantee that you're using an immutable version of the
code, which might protect you from tags being moved to malicious or buggy
commits.
The changes would be similar to those:
For the docker files, `From busybox:glibc` would become `From
busybox:glibc@sha256:2a6835efa6f7ba15d30e1118e72e9ba180e4ae8253bfe80e97628df85f3aad8f`
For the GitHub Actions, `- uses: actions/setup-java@v3` would become
`- uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0`
It would make it a bit more difficult to manually update the versions, but
Dependabot is able to do it automatically -- and it also makes sure to keep the
human-readable version as a comment 😄 . Do you already have Dependabot enabled?
I've found this [dependabot PR](https://github.com/apache/tomcat/pull/603), but
haven't found the dependabot.yml file, so I couldn't tell.
Both changes are recommended by security tools like
[Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies).
The GitHub Actions change are also recommended by [GitHub
itself](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions),
and you can read about a practical impact of the Docker image change on this
[blogpost](https://rockbag.medium.com/why-you-should-pin-your-docker-images-with-sha-instead-of-tags-fd132443b8a6).
Thanks!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66658] Reference GitHub Actions and Docker Images by SHA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66658
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I see where this is coming from but this appears to be adding complexity for no
benefit as far as the Tomcat project is concerned.
Note that:
- No automated tools have write access to Tomcat repositories
- We only use GitHub provided actions
- We only use GitHub provided runners
If the sort of attack these changes are designed to mitigate was successful
then that would require compromise of the GitHub infrastructure and the impact
would be limited to the GitHub infrastructure. In short, there is no benefit to
the Tomcat project to making our action dependencies harder to manage.
We don't use Dependabot as it is generally noisy and has a high false positive
rate when raising security alerts (it tends to raise security issues for things
like test dependencies).
If we started to use 3rd-party actions then I can see the benefit in using
hashes and using Depdendabot to simplify keeping them updated.
Currently, we reference the major version tag which keeps us up to date anyway.
I am leaning towards closing this as WONTFIX but I'll leave it open for now so
others can comment. Moving it to the NEEDINFO state although "needs
justification else will get closed" would be a better description.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66658] Reference GitHub Actions and Docker Images by SHA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66658
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution|--- |LATER
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
We'll come back to this in the future if the need arises.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66658] Reference GitHub Actions and Docker Images by SHA
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66658
--- Comment #2 from Diogo Sant Anna <di...@google.com> ---
Hi Mark, thanks for the thoughtful reply!
I understand your concerns and they are all valid. It really doesn't make much
sense to hash-pin dependencies if you don't use any dependency automate tool,
and Dependabot can indeed become noisy. That said, feel free to close this
until you have another reason to reconsider using a dependency tool
Additionally, I'll drop some comments that might be valuable if/when you end up
reconsidering this Bug:
- If you have experienced Dependabot and considered it noisy, I'd recommend
that you try Renovate bot (https://github.com/apps/renovate), which is known to
be a less noisy solution, but have basically the same features.
- In case you start using actions with write permissions, with access to
secrets or to build critical artifacts, don't forget to also hash-pin the
github owned actions. I know it might sound weird given you use the whole
infrastructure fron github, but note that their actions are stored and managed
very differently then their infrastructure. In their docs, they explicitly that
there is risks of using tags even if you trust the author
(https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org