InfoQ Homepage Software Supply Chain Content on InfoQ
-
Do Gen AI and OSS Regulation Bring Us Further Away from Exiting the Dependency Hell?
“The security of the software supply chain problem” still persists according to the yearly State Of Supply Chain report. It improved, but there is still a long way to go, given that 96% of all vulnerable downloads were avoidable. Besides the usual insights of how far from exiting the "dependency hell" we are, the novel challenges of 2023 include the legislative adoption of Gen AI-associated risks.
-
TorchServe Potentially Exposed to Remote Code Execution
Israeli-based security company Oligo has uncovered multiple vulnerabilities in TorchServe, the tool used to serve PyTorch models, that could allow an attacker to run arbitrary code on vulnerable systems. The vulnerabilities have been promptly fixed in TorchServe version 0.82.
-
GitHub Dependabot Gets Customizable Auto-Triage Rules to Reduce False Positives
After launching Dependabot's auto-dismiss policies a few months ago to reduce the number of false positive alerts, GitHub is now adding custom rules support for developers to define the criteria to auto-dismiss and reopen alerts.
-
Go 1.21 Toolchain is Now Reproducible to Help Safeguard from Supply-Chain Attacks
Go 1.21 toolchain is the first Go toolchain to be perfectly reproducible. This makes it possible to reduce the risk that a malicious actor can tamper with the output binaries, explains Google engineer Russ Cox, to carry through a supply chain attack.
-
OpenSSF New Manifesto Urges the Software Industry to Take Responsibility for Open Source Security
The Open Source Consumption Manifesto from OpenSSF aims to make the software industry more aware of its responsibility when it comes to ensuring the software supply chain remains secure and healthy.
-
Google Announces Graph for Understanding Artifact (GUAC) v0.1
The Open Source Security Team at Google has recently introduced GUAC (Graph for Understanding Artifact) v0.1, a tool designed for security professionals. GUAC focuses on metadata synthesis and aggregation, addressing the requirement outlined in the U.S. Executive Order on Cybersecurity. This tool aims to assist security professionals in assessing the security posture of the supply chain.
-
Manifest Confusion Paves the Way to New npm Supply Chain Threats
A recent report by former npm engineering manager Darcy Clarke found that the npm registry does not validate manifest information against the contents of its corresponding package tarball. This creates a double source of truth that attackers can exploit to hide scripts or dependencies, says Clarke.
-
GitHub Announces Code Scanning and Security Advisory Support for Swift
GitHub has launched code scanning support for Swift in beta and announced it will include Swift security advisories in its Advisory Database to extend the capabilities of its Dependabot vulnerability monitor.
-
Google Open Sources Bazel Plugin to Automate Secure Distroless Image Creation
Google and Bazel consulting firm Aspect announced version 1.0 of Bazel plugin rules_oci. Aimed to simplify secure container image creation using Bazel with special emphasis on Distroless images, the new plugin obsoletes rules_docker and improves it on a number of counts.
-
AWS Supply Chain Now Generally Available with New Features
AWS’s Supply Chain cloud application has recently been made generally available, offering unified data, actionable insights powered by machine learning, and contextual collaboration features to reduce costs and mitigate risk.
-
KubeEdge Achieves SLSA Level 3 Compliance
KubeEdge, a CNCF incubating project, recently met the Supply Chain Levels for Software Artifacts (SLSA) 3 compliance. SLSA 3 certifies the end-to-end security of KubeEdge's software supply chain process, ensuring that binary and container image artifacts are protected from malicious tampering.
-
Survey on Supply Chain Practices Finds Perceived Usefulness of Practice Correlates with Adoption
A recent survey on supply chain security practices found that some practices are widely adopted but key practices are lagging behind. Key practices, such as generating provenance, were noted for lagging behind in adoption. The survey also found that the perceived usefulness of a practice is highly correlated with the adoption of that practice.
-
Cross-Industry Report Identifies Top 10 Open-Source Software Risks
Promoted by Endor Labs and featuring contributions from over 20 industry experts, the new Endor Labs Station 9 report identifies the top operational and security risks in open-source software.
-
How Yahoo Secures Their Software Supply Chain at Scale: CloudNativeSecurityCon 2023
At CloudNativeSecrityCon 2023 in Seattle, WA, Hamil Kadakia and Yonghe Zhao, software engineers at Yahoo’s security team, presented on securing Software Supply Chain at Scale, and how to put together policies to safeguard against Supply Chain attacks.
-
Sonatype BOM Doctor Evaluates and Helps Patch Java Software Bills of Materials
BOM Doctor is a free, GitHub-hosted tool created by Sonatype to scan software bills of materials (SBOMs) and identify vulnerabilities and legal issues.