Implement Basic Supply Chain Security (#3395)

This commit is contained in:
Gerard Guillemas Martos 2024-01-26 08:56:29 +01:00 committed by GitHub
parent eeb9137ee6
commit 74d91d430e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 5113 additions and 2 deletions

2
.github/CODEOWNERS vendored
View file

@ -19,6 +19,8 @@ Makefile.* @surrealdb/ci
Cargo.lock @surrealdb/security
Cargo.toml @surrealdb/security
lib/Cargo.toml @surrealdb/security
cackle.toml @surrealdb/security
supply-chain/* @surrealdb/security
# General owners for the database
/doc/ @surrealdb/db

View file

@ -96,9 +96,29 @@ jobs:
- name: Install cargo-deny
run: cargo install --debug --locked cargo-deny
- name: Check dependencies
- name: Install cargo-vet
run: cargo install --debug --locked cargo-vet
- name: Install cargo-acl
run: |
cargo install --debug --locked cargo-acl
sudo apt-get install -y bubblewrap
- name: Check dependencies for known issues
run: cargo deny check
- name: Check dependencies for untrusted sources
run: cargo vet
- name: Check dependencies for unauthorized access
run: cargo acl -n
- name: Dependency check failure
if: failure()
run: |
echo "## :warning: Dependency check failed" >> $GITHUB_STEP_SUMMARY
echo "See instructions in the [supply chain security process](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/README.md#Process)." >> $GITHUB_STEP_SUMMARY
check-wasm:
name: Check Wasm
runs-on: ubuntu-latest

View file

@ -1,4 +1,4 @@
# <img height="25" src="/img/security.svg">&nbsp;&nbsp;Security Policy
# <img height="25" src="/img/security.svg">&nbsp;&nbsp;Open Source Security Policy
## Supported Versions
@ -86,6 +86,12 @@ SurrealDB makes use of Github's [Dependabot
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
monitor its dependencies for security issues.
SurrealDB also [implements basic supply chain security practices](https://github.com/surrealdb/surrealdb/pull/3395)
using [`cargo-vet`](https://mozilla.github.io/cargo-vet/index.html) and [`cargo-acl` (i.e.
Cackle)](https://github.com/cackle-rs/cackle) to mitigate the impact of attackers introducing malicious code into
third-party dependencies. These tools are executed as part of the CI process to ensure that significant changes in
dependencies are considered. More details about these practices can be found [here](supply-chain/README.md).
### Fuzzing
SurrealDB is [integrated](https://github.com/google/oss-fuzz/tree/master/projects/surrealdb) with Google's

1275
cackle.toml Normal file

File diff suppressed because it is too large Load diff

78
supply-chain/README.md Normal file
View file

@ -0,0 +1,78 @@
# Supply Chain Security
## Goal
Our main goal with supply chain security is to mitigate the impact of attackers introducing malicious code into third-party dependencies that SurrealDB relies on. At this stage, our aim is to introduce a basic mechanism by which dependency source and access is at least considered as part of the CI process, to reduce the attack surface of SurrealDB by limiting the number of dependencies completely exposed to supply chain attacks and to raise the bar for the effort needed to perform a successful supply chain attack against many of the current SurrealDB dependencies.
## Mechanism
Currently, supply chain security is implemented through a basic configuration of [`cargo-vet`](https://mozilla.github.io/cargo-vet/index.html) and [`cargo-acl` (i.e. Cackle)](https://github.com/cackle-rs/cackle) for the main SurrealDB repository. These tools are executed as part of the CI process. Ownership of the configuration files for these tools is assigned to **@surrealdb/security** group in the [`.github/CODEOWNERS`](https://github.com/surrealdb/surrealdb/blob/main/.github/CODEOWNERS) file.
### Security Compromises
At this stage, the following compromises are made due to lack of dedicated resources to audit dependencies:
- Dependencies published by SurrealDB employees are trusted by default when they are the only publisher.
- Dependencies audited directly (i.e. not transitively) by [some trusted organizations](https://raw.githubusercontent.com/bholley/cargo-vet/main/registry.toml) are trusted by default.
- Any dependencies that have not yet been audited are exempt from the vetting process.
In this implementation, it is important to note that `cargo-vet` is only used as an informational tool and that no significant security review will be performed by SurrealDB for third-party dependencies. The `cargo-vet` tool will be used to collect information from third-party audits that can be used to inform the decision of allowing or denying newly required access through `cargo-acl` as well as inventory which dependencies are published by trusted developers.
Using `cargo-acl`, the minimum required permissions for each existing dependency (from a total of 594 dependencies, only 272 required no special permissions) at the time of implementation have been granted without any significant review. This limits the exposure to supply chain attacks that require additional access (e.g. a dependency only granted `net` would not be able to suddenly read files and exfiltrate them over the network), but would still allow for dependencies that have been granted some level of access (specially `unsafe`, `fs` and procedural macros) to leverage this access to conduct significant supply chain attacks. Ideally, dependencies granted higher level of access should be reviewed in the future by leveraging `cargo-vet`. As [acknowledged by the Cackle project](https://github.com/cackle-rs/cackle/blob/main/SECURITY.md), we recognize that access limitations can be overcome by determined attackers.
### Process
The following is a simplified lightweight process to support contributors in passing dependency checking.
Using the dependency tools locally requires installing the following software:
```bash
cargo install --locked cargo-deny
cargo install --locked cargo-vet
# Linux
cargo install --locked cargo-acl
sudo apt install -y bubblewrap # Adapt as required
# Other Systems (Docker)
# You will need to build the following image at least once:
docker build -t surrealdb-local/builder --target builder -f docker/Dockerfile .
# Disable the sandboxing configuration in favor of Docker.
sed -i 's/kind = "Bubblewrap"/kind = "Disabled"/g' cackle.toml
# Run Cackle interactively inside the Docker image.
docker run --entrypoint /bin/bash -it --rm -v $(pwd):/app -w /app surrealdb-local/builder \
-c "cargo install cargo-acl && cargo acl"
# Revert the sandboxing configuration before committing your changes.
sed -i 's/kind = "Disabled"/kind = "Bubblewrap"/g' cackle.toml
```
The following process can be followed whenever the dependency checking action fails:
- If the action fails due to `cargo-deny`:
- Identify the affected dependency.
- In a separate branch, run `cargo update <PACKAGE>`.
- If there is no fix or an update is not possible:
- Add an [exception to the `deny.toml`](https://github.com/surrealdb/surrealdb/blob/main/deny.toml#L64) file.
- Add a comment to the exception with its rationale and the conditions for it to be removed.
- Request the changes on a separate PR. Paste the vulnerability details provided by `cargo-deny`.
- The PR containing the dependency update will be approved by **@surrealdb/security**.
- Rebase your original branch so that the dependency is updated.
- If the action fails due to `cargo-vet`:
- This means that the dependency has not yet been trusted, audited nor exempted.
- If this is a new dependency, think about whether or not it needs to be introduced to SurrealDB.
- If the dependency should be introduced:
- If published by [a SurrealDB employee](https://github.com/orgs/surrealdb/people), it can be trusted as `safe-to-deploy`.
- Ensure that all publishers of the dependency are SurrealDB employees.
- `cargo vet trust <PACKAGE>`
- Otherwise, it can be (for now) exempted from the vetting process.
- `cargo vet add-exemption <PACKAGE>`
- The changes will be approved by **@surrealdb/security**.
- If the action fails due to `cargo-acl`:
- The newly required access (e.g. `unsafe`, `fs`, `net`...) should be understood by the author of the PR.
- If an audit is present in [`supply-chain/audits.toml`](https://github.com/surrealdb/surrealdb/blob/main/supply-chain/audit.toml), you may review it to understand the required access.
- If the newly required permissions are understood and accepted.
- Locally run `cargo acl`. When the required access dialog appears, press `f`.
- Alternatively, you can directly edit the [`cackle.toml`](https://github.com/surrealdb/surrealdb/blob/main/cackle.toml) file to add the necessary permissions.
- Select the minimum access that you believe the dependency should be granted.
- Commit and push the changes to the config files to your PR.
- In your PR add a brief explanation of the granted access.
- The changes will be approved by **@surrealdb/security**.

88
supply-chain/audits.toml Normal file
View file

@ -0,0 +1,88 @@
# cargo-vet audits file
[audits]
[[trusted.addr]]
criteria = "safe-to-deploy"
user-id = 3987 # Rushmore Mushambi (rushmorem)
start = "2021-02-25"
end = "2025-01-24"
[[trusted.dmp]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-01-27"
end = "2025-01-24"
[[trusted.echodb]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-01-27"
end = "2025-01-24"
[[trusted.indxdb]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-02-19"
end = "2025-01-24"
[[trusted.lexicmp]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2023-03-26"
end = "2025-01-24"
[[trusted.psl-types]]
criteria = "safe-to-deploy"
user-id = 3987 # Rushmore Mushambi (rushmorem)
start = "2021-03-12"
end = "2025-01-24"
[[trusted.revision]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2023-08-09"
end = "2025-01-24"
[[trusted.revision-derive]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2023-08-09"
end = "2025-01-24"
[[trusted.storekey]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-03-16"
end = "2025-01-24"
[[trusted.surrealdb]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-07-19"
end = "2025-01-24"
[[trusted.surrealdb-derive]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-02-26"
end = "2025-01-24"
[[trusted.surrealdb-jsonwebtoken]]
criteria = "safe-to-deploy"
user-id = 3987 # Rushmore Mushambi (rushmorem)
start = "2023-08-29"
end = "2025-01-24"
[[trusted.surrealml-core]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2023-10-31"
end = "2025-01-24"
[[trusted.trice]]
criteria = "safe-to-deploy"
user-id = 145457 # Tobie Morgan Hitchcock (tobiemh)
start = "2022-02-17"
end = "2025-01-24"

2057
supply-chain/config.toml Normal file

File diff suppressed because it is too large Load diff

1585
supply-chain/imports.lock Normal file

File diff suppressed because it is too large Load diff