Throwing out my thoughts on this subject.
A supply chain attack is when third-party software contains malware.
All the following operations can potentially compromise a machine:
The following ideas depends on the threat model. There are no solutions, only tradeoffs.
Library splitting by complexity
Most projects do not need a general-purpose http client.
Often you just want to do a few GET and POST requests and that's it.
When you pull in a general-purpose http-client you often get
a huge amount of code units. E.g.
composer.phar require guzzlehttp/guzzle:^7.0
has 45 classes and three other dependencies.
I'm thinking a library could possibly be split into two packages:
- http-client-complex (general-purpose)
The simple version of a library might only be a single class. It has a reduced feature set, but the code is smaller, has less bugs and is probably more secure. Code review is faster. Harder to slip in malware.
- Do not depend on a random package you found that was created yesterday
- Do not directly depend on 9000 packages
- Do not transitively depend on 9000 packages
- Do a dry run upgrade:
blox --dry-run uprade
The latest version is not always needed.
Lock a dep to e.g.
Some dependency managers allow you to lock
v1.* to only get patches and minors.
Don't blindly upgrade major versions.
If not too much work, exert 5 mins on a code review:
git add ./vendor # upgrade git diff ./vendor
Sandboxing (containers, VMs)
Maybe we should all start developing software in containers/VMs?
Disable post-install tasks
Some package managers has features where a task can be executed at different lifecycles.
# Skips execution of scripts defined in composer.json.` composer --no-scripts update
Issue frequency anomaly
If there is an unusual amount of activity in the offending issue tracker, it's worth checking out.
Inline packages and semi-adopt them
Are you depending on a package which is only one function or a single file? Why not just inline it?
mkdir -p ./vendor-inlined curl "https://raw.githubusercontent.com/lborgav/is-prime/master/index.js" -o ./vendor-inlined/is-prime.js
There are lots of packages that possibly could be consolidated into a single package.
Code scan for dangerous functions e.g.
Detect suspicious versioning patterns.