解决供应链问题的方案是,别再把你的依赖项从 .gitignore 里移除了。

4作者: SchizoDuckie大约 2 个月前
今天我意识到一个重要的问题,我们都被骗了。<p>如果我们将特定语言的 vendor/node_modules/venv 目录签入 Git,并直接从中部署,那么目前发生的所有供应链攻击根本就不会发生。<p>去他的依赖项安装和升级步骤。去他的自动化构建步骤。去他的破坏性变更,因为 $package_owner 不遵守语义版本控制。<p>单独签入依赖项及其更新,一直是,也永远是摆脱这种困境的出路。<p>今天就从你的 .gitignore 中删除 vendor/ node_modules/ 和 venv/,并在你的 CI 中跳过安装步骤,你就能立即消除 99% 的攻击面。一直以来都这么简单吗??? 我认为是这样的!<p>你认为签入你的 composer.lock 或 package.lock 就能解决问题?哈。 npm install 是“智能”的,它会检查更新并默默地安装新版本并更新你的 lockfile。你应该使用 npm ci。我们积极地训练开发人员运行 'composer update' 来检查新版本,这些新版本修复了他们在本地可能遇到的“问题”,并删除 lockfile 作为解决问题的首要措施。<p>你检查了 composer.lock 的每次更新吗?那个看似无辜的提交哈希值可能只是引入了 20kb 的混淆的恶意代码,而你永远不会知道。<p>所有这些都因为一个长期存在的、可笑的 github 漏洞而变得更加复杂,你可以 fork 一个存储库并将你的提交推送到它,然后提取提交哈希值并将其附加到原始存储库 URL。在 Github Web 界面上,你会看到一个通知“此提交可能不属于此存储库或其 fork”,但在终端上你永远不会看到它,而这正是当前蠕虫利用的漏洞。<p>签入你的依赖项并消除安装步骤将使所有这些都可追踪和可追溯。在我看来,性能损失是值得的。
查看原文
I head the major realisation today that we&#x27;ve all been bamboozled.<p>All the supply chain attacks currently happening would never even happen if we just checked in our language-respective vendor&#x2F;node_modules&#x2F;venv directories into git and just deployed straight from that.<p>Screw the dependency install and upgrade step. Screw the automated build step. Screw the breaking changes because $package_owner doesnt adhere to semver.<p>Checking in dependencies and their updates individually is, and has always been the way out of this mess.<p>Remove vendor&#x2F; node_modules&#x2F; and venv&#x2F; from your .gitignore today and skip the install step in your CI and you eliminate 99% of the attack surface instantly. Was it always that easy???? I think it was!<p>You think checking in your composer.lock or package.lock saves you? Hah. Npm install is &quot;smart&quot; and checks for updates and silently installs new versions and updates your lockfile. You should have used npm ci instead. We actively train devs to run &#x27;composer update&#x27; to check for new releases that fix &#x27;issues&#x27; they might encounter locally and delete the lockfiles as a first measure to fix issues.<p>Do you vet every update to your composer.lock? That one innocent commit hash that&#x27;s changed could just pull in 20kb of obfuscated exploit code and you&#x27;d never know.<p>All of this is compounded by the longstanding hilarious github bug where you can fork a repository and push your commit to it, then pluck the commit hash and append that to the original repository URL. On the Github webinterface you&#x27;ll see a notice &quot;this commit has might not belong to this repo or a fork of it&quot; but on the terminal you&#x27;ll never see that, and that&#x27;s exactly what the current worms exploit.<p>Checking in your dependencies and eliminating the install step would make all of this trackable and traceable. Imo the performance hit is worth it.