├── ISSUES.md ├── README.md ├── golang.md ├── mavencentral.md ├── npm.md ├── nuget.md ├── pypi.md ├── rubygems.md ├── rustcargo.md └── swiftpm.md /ISSUES.md: -------------------------------------------------------------------------------- 1 | ## References 2 | 3 | This page links to noted issues that would have potentially been mitigated or addressed by using packman to get to a higher level of security. 4 | 5 | - [Snyk blog on bootsrap_sass issue](https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/) 6 | - [NPM malicious module](https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies) 7 | - [Event Stream Issue](https://github.com/dominictarr/event-stream/issues/116) 8 | 9 | More Node.js related security incidents tracked in the [Awesome Node.js Security](https://github.com/lirantal/awesome-nodejs-security#security-incidents) repository. 10 | 11 | ## Dependency Confusion References 12 | 13 | - [Dependency Confusion Post by Alex Birsan](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) 14 | 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # packman 2 | 3 | A documentation and tracking project with the goal of making package management systems more secure. See [issues](./ISSUES.md) for a very rough list of a few of the related issues we have seen. 4 | 5 | ## Table Of Package Management Systems 6 | 7 | | Language | Name | Tier | Controls | Packman Lead | Packman Page | 8 | |----------|------|------|----------|--------------|--------------| 9 | | JavaScript | npm | 1 | | | [npm](./npm.md) | 10 | | Ruby | RubyGems | 1 | | | [rubygems](./rubygems.md)| 11 | | Python | PyPi | 1 | | | [pip/pypi](./pypi.md)| 12 | | Java | Maven Central | 2 | | | [maven central](./mavencentral.md)| 13 | | Java | Android Central | ? | | | | 14 | | .Net | NuGet | 2 | | |[nuget](./nuget.md)| 15 | | Docker Hub | Docker | 1 | | | 16 | | Golang | go get | 1 | | | [golang](./golang.md)| 17 | | PHP | Composer | ? | | | 18 | | Cocoa | Cocoa Pods | ? | | | 19 | | Swift | Swift Package Manager | 1 | | | [swiftpm](./swiftpm.md)| 20 | | Rust | Cargo | 2? | | | [rustcargo](./rustcargo.md)| 21 | 22 | ## Tiers and Controls 23 | 24 | * Tier 1: The lowest level of maturity. Consider this untrusted. 25 | * Tier 2: Basic controls in place. 26 | * Tier 3: Very secure. 27 | 28 | | Control | Tier 1 | Tier 2 | Tier 3 | 29 | |---------|--------|--------|--------| 30 | | Strong Authentication | ☐ | ☑ | ☑ | 31 | | MFA To Push Artifacts | ☐ | ☑ | ☑ | 32 | | Security Contacts | ☐ | ☑ | ☑ | 33 | | Packages Can Notify of Security Issues | ☐ | ☑ | ☑ | 34 | | Code package tied to source code | ☐ | ☑ | ☑| 35 | | Prevents Credential from Being Published | ☐ | ☑ | ☑ | 36 | | Update notifications | ☐ | ☑ | ☑| 37 | | Code signing | ☐ | ☐ | ☑ | 38 | | Integrity Verification | ☐ | ☐ | ☑ | 39 | | Code analysis (static) | ☐ | ☐ | ☑ | 40 | | Code Dependency Analysis | ☐ | ☐ | ☑ | 41 | | Package Manager Does Not Run Code | ☐ | ☐ | ☑ | 42 | | Package Manager Does Not Collect Info | ☐ | ☐ | ☑ | 43 | | Project Roles Guide | ☐ | ☐ | ☑ | 44 | | Project Roles Review | ☐ | ☐ | ☑ | 45 | | Account Level Library Tagging | ☐ | ☐ | ☐ | 46 | 47 | ## Detail About Controls 48 | 49 | The following sections describe each of the controls referenced in the above table in more detail. 50 | 51 | ### Strong Authentication 52 | 53 | Strong authentication means that the system requires: 54 | - Complex passwords (> 10 chars with symbols,numbers,etc. or > 16 chars) 55 | - Is resistant to brute forcing through lockouts 56 | - Has password change notifications 57 | - Supports only short sessions 58 | 59 | ### MFA To Push Artifacts 60 | 61 | Since being able to push new code to a package manager is a powerful function, it is important to know that it cannot be easily done by guessing a maintainer's password. Implementing MFA 62 | 63 | ### Security Contacts and Process 64 | 65 | To satisfy this requirement, the package manager must have a way to receive security information from the community and a process for handling such feedback. A published email such as security@, together with a mechanism to ensure that the feedback is captured and responded to would satisfy this requirement. 66 | 67 | ### Packages Can Notify of Security Issues 68 | 69 | Packages may themselves identify issues or be notified of issues. The platform should support a way for a package maintainer to report a release with a security issue and: 70 | - Potentially remove it from the package source 71 | - Flag for update 72 | 73 | ### Code Packages Tied to Source Code 74 | 75 | Packages must somehow be tied to an explicit version of code (a tag?) in a well known public repository (bitbucket.org, github.com). 76 | 77 | ### Update Notifications 78 | 79 | When packages are updated, all maintainers for that package should be notified. 80 | 81 | ### Consumer Check Status of a Package 82 | 83 | When security issues are identified in a package, there should be a way for a consumer to check for those. This could be a command that allows the consumer to check for known issues. 84 | 85 | ### Code Signing 86 | 87 | It should be possible for developers to sign their code. When they do, the package manager should verify the signatures and provide a way for those to be distributed to consumers of the package. 88 | 89 | ### Integrity verification 90 | 91 | Package manager provides a method for verifying the integrity of the downloaded package. 92 | 93 | None - no integrity verification is done 94 | Partial - integrity verification is done using a weak method* 95 | Yes - Verification is done using a sufficiently secure method 96 | * we need want to define this. 97 | 98 | ### Code Analysis Static 99 | 100 | The platform can provide static code analysis to proactively identify potential issues in important libraries. 101 | 102 | ### Code Dependency Analysis 103 | 104 | The platform can track vulnerabilities in libraries the package depends on (upstream packages) and notify maintainers when that is the case. 105 | 106 | ### Package Manager Does Not Run Code 107 | 108 | The package manager should not run code on package install. 109 | 110 | ### Package Manager Should Not Collect Information 111 | 112 | The package manager should not collect information about the project using the dependency. 113 | 114 | ### Project Roles Guide 115 | 116 | The package management system should have a guide for roles on a project which should include a succession plan and terms for active engagement. 117 | 118 | ### Project Roles Review 119 | 120 | The package management system maintainers should have a process for reviewing the roles on projects to ensure the maintainers are active. 121 | 122 | ### Account Level Library Tagging 123 | 124 | Consumers of libraries should be able to tag their interest or approval in a specific library so that they can ensure that builds only use libraries they have tagged in certain ways. Eg. marked as code reviewed. 125 | 126 | ### Prevents credential from being published 127 | 128 | The package manager provides some control to prevent the authentication credentials / token / session from being leaked as part of the package contents. 129 | 130 | None - no control is present and the user is to protect themselves 131 | Partial - insert comment 132 | Yes - credentials / tokens are either blocked from publication or are revoked through an automated way triggered by publication of a package. Users should be notified in some way that action has taken place. 133 | 134 | ## References to Related Projects 135 | 136 | - [Dependency Track](https://www.owasp.org/index.php/OWASP_Dependency_Track_Project) 137 | - [Dependency Check](https://www.owasp.org/index.php/OWASP_Dependency_Check) 138 | - [PURL Spec](https://github.com/package-url/purl-spec) 139 | -------------------------------------------------------------------------------- /golang.md: -------------------------------------------------------------------------------- 1 | # Go Package Manager 2 | 3 | Go package manager information. 4 | 5 | ## Tier 6 | 7 | The Go package manager is tier 1. 8 | 9 | ## Contacts 10 | 11 | 12 | 13 | ## Compliance Table 14 | 15 | | Control | Status | Comments | 16 | |---------|--------|--------| 17 | | Strong Authentication | Optional | Github | 18 | | MFA To Push Artifacts | Optional | | 19 | | Security Contacts | No | | 20 | | Packages Can Notify of Security Issues | ??? | | 21 | | Code package tied to source code | Yes | | 22 | | Update notifications | No | | 23 | | Code signing | Optional | | 24 | | Code analysis (static) | No | | 25 | | Code Dependency Analysis | No | | 26 | | Package Manager Does Not Run Code | Yes | | 27 | | Package Manager Does Not Collect Info | Yes | | 28 | | Project Roles Guide | No | | 29 | | Project Roles Review | No | | 30 | | Account Level Library Tagging | No | | -------------------------------------------------------------------------------- /mavencentral.md: -------------------------------------------------------------------------------- 1 | # Maven Central Package Manager 2 | 3 | Maven central package manager information. 4 | 5 | ## Tier 6 | 7 | Maven Central is tier . 8 | 9 | ## Contacts 10 | 11 | 12 | 13 | ## Compliance Table 14 | 15 | | Control | Status | Comments | 16 | |---------|--------|--------| 17 | | Strong Authentication | Optional | | 18 | | MFA To Push Artifacts | Optional | | 19 | | Security Contacts | No | | 20 | | Packages Can Notify of Security Issues | ??? | | 21 | | Code package tied to source code | No | | 22 | | Update notifications | No | | 23 | | Code signing | ??? | | 24 | | Code analysis (static) | No | | 25 | | Code Dependency Analysis | No | | 26 | | Package Manager Does Not Run Code | Yes | | 27 | | Package Manager Does Not Collect Info | Yes | | 28 | | Project Roles Guide | No | | 29 | | Project Roles Review | No | | 30 | | Account Level Library Tagging | No | | -------------------------------------------------------------------------------- /npm.md: -------------------------------------------------------------------------------- 1 | # npm 2 | 3 | npm is the package manager for JavaScript. 4 | 5 | 6 | ## Tier 7 | 8 | The npm package manager is tier 1. 9 | 10 | ## Contacts 11 | 12 | - security - security@npmjs.com 13 | - support - support@npmjs.com 14 | - homepage: https://npmjs.com 15 | 16 | 17 | ## Compliance Table 18 | 19 | | Control | Status | Comments | 20 | |---------|--------|--------| 21 | | Strong Authentication | Optional | | 22 | | MFA To Push Artifacts | Optional | | 23 | | Security Contacts | Yes | [security.txt](https://www.npmjs.com/.well-known/security.txt) | 24 | | Packages Can Notify of Security Issues | Partial | A [report a vulnerability](https://www.npmjs.com/advisories/report) function is available on every package page for maintainers to get an entry into the npm audit advisory feed | 25 | | Code package tied to source code | No | | 26 | | Update notifications | Partial | Maintainer that published the package is notified | 27 | | Code signing | Partial | npm signs package metadata with internal gpg keys, verification is currently a [manual process](https://blog.npmjs.org/post/172999548390/new-pgp-machinery) | 28 | | Code analysis (static) | No | | 29 | | Code Dependency Analysis | Yes | [npm audit](https://docs.npmjs.com/cli/audit) | 30 | | Package Manager Does Not Run Code | Optional | The `--ignore-scripts` argument will cause npm to not execute any scripts defined in the package.json | 31 | | Package Manager Does Not Collect Info | No | [npm privacy policy](https://www.npmjs.com/policies/privacy) | 32 | | Project Roles Guide | No | | 33 | | Project Roles Review | No | | 34 | | Account Level Library Tagging | No | | 35 | -------------------------------------------------------------------------------- /nuget.md: -------------------------------------------------------------------------------- 1 | # NuGet Package Manager 2 | 3 | NuGet package manager information. 4 | 5 | ## Tier 6 | 7 | NuGet is tier 2. 8 | 9 | ## Contacts 10 | 11 | support@nuget.org 12 | 13 | https://docs.microsoft.com/en-us/nuget/policies/governance 14 | 15 | 16 | ## Compliance Table 17 | 18 | | Control | Status | Comments | 19 | |---------|--------|--------| 20 | | Strong Authentication | Optional | Uses Microsoft Live | 21 | | MFA To Push Artifacts | Optional | | 22 | | Security Contacts | Yes | support@nuget.org | 23 | | Packages Can Notify of Security Issues | Yes | | 24 | | Code package tied to source code | Optional | | 25 | | Update notifications | Yes | | 26 | | Code signing | Yes | | 27 | | Code analysis (static) | No | | 28 | | Code Dependency Analysis | No | | 29 | | Package Manager Does Not Run Code | Optional | Packages can have scripts | 30 | | Package Manager Does Not Collect Info | Yes | | 31 | | Project Roles Guide | No | | 32 | | Project Roles Review | No | | 33 | | Account Level Library Tagging | Yes | | 34 | -------------------------------------------------------------------------------- /pypi.md: -------------------------------------------------------------------------------- 1 | # Python Pip Package Manager 2 | 3 | Python pip information. 4 | 5 | ## Tier 6 | 7 | The pip package manager with pypi is tier 1. 8 | 9 | ## Contacts 10 | 11 | - [PyPi Security](https://pypi.org/security/) 12 | - [Python Security](https://www.python.org/dev/security/) 13 | - [Python Packages](https://packaging.python.org/tutorials/packaging-projects/) 14 | 15 | ## Compliance Table 16 | 17 | | Control | Status | Comments | 18 | |---------|--------|--------| 19 | | Strong Authentication | Optional | | 20 | | MFA To Push Artifacts | No | | 21 | | Security Contacts | Yes | | 22 | | Packages Can Notify of Security Issues | ??? | | 23 | | Code package tied to source code | No | | 24 | | Update notifications | No | | 25 | | Code signing | ??? | | 26 | | Code analysis (static) | No | | 27 | | Code Dependency Analysis | No | safety | 28 | | Package Manager Does Not Run Code | No, it does | | 29 | | Package Manager Does Not Collect Info | ??? | | 30 | | Project Roles Guide | No | | 31 | | Project Roles Review | No | | 32 | | Account Level Library Tagging | No | | -------------------------------------------------------------------------------- /rubygems.md: -------------------------------------------------------------------------------- 1 | # Rubygems Package Manager 2 | 3 | Rubygems information. 4 | 5 | ## Tier 6 | 7 | The Rubygems package manager is tier 1. 8 | 9 | ## Contacts 10 | 11 | 12 | 13 | ## Compliance Table 14 | 15 | | Control | Status | Comments | 16 | |---------|--------|--------| 17 | | Strong Authentication | Optional | | 18 | | MFA To Push Artifacts | Optional | | 19 | | Security Contacts | Yes | | 20 | | Packages Can Notify of Security Issues | ??? | | 21 | | Code package tied to source code | No | | 22 | | Update notifications | No | | 23 | | Code signing | Optional | | 24 | | Code analysis (static) | No | | 25 | | Code Dependency Analysis | No | bundler audit | 26 | | Package Manager Does Not Run Code | No, it does | | 27 | | Package Manager Does Not Collect Info | ??? | | 28 | | Project Roles Guide | No | | 29 | | Project Roles Review | No | | 30 | | Account Level Library Tagging | No | | -------------------------------------------------------------------------------- /rustcargo.md: -------------------------------------------------------------------------------- 1 | # Rust Cargo Package Manager 2 | 3 | Rust Cargo package manager information. 4 | 5 | ## Tier 6 | 7 | The Go package manager is tier 2 (maybe?). 8 | 9 | ## Contacts 10 | 11 | 12 | 13 | ## Compliance Table 14 | 15 | | Control | Status | Comments | 16 | |---------|--------|--------| 17 | | Strong Authentication | | Authentication is via GitHub, so maybe? | 18 | | MFA To Push Artifacts | Optional | Via GitHub account | 19 | | Security Contacts | Yes | https://github.com/RustSec/advisory-db/ | 20 | | Packages Can Notify of Security Issues | Yes | https://github.com/RustSec/advisory-db/ | 21 | | Code package tied to source code | | Probably, via relevant repo | 22 | | Update notifications | | | 23 | | Consumer Check Status of a Package | Yes | cargo audit | 24 | | Code signing | ?? | | 25 | | Code analysis (static) | No | | 26 | | Code Dependency Analysis | | | 27 | | Package Manager Does Not Run Code | Yes | | 28 | | Package Manager Does Not Collect Info | | | 29 | | Project Roles Guide | No | | 30 | | Project Roles Review | No | | 31 | | Account Level Library Tagging | | | -------------------------------------------------------------------------------- /swiftpm.md: -------------------------------------------------------------------------------- 1 | # Swift Package Manager 2 | 3 | Swift Package Manager (SPM) information. 4 | 5 | ## Tier 6 | 7 | The Swift Package Manager (SPM) is tier 1. 8 | 9 | ## Contacts 10 | 11 | - homepage: [https://swift.org/package-manager/](https://swift.org/package-manager/) 12 | - support - [https://forums.swift.org/c/development/SwiftPM](https://forums.swift.org/c/development/SwiftPM) 13 | - git repository - [https://github.com/apple/swift-package-manager](https://github.com/apple/swift-package-manager) 14 | 15 | ## Compliance Table 16 | 17 | | Control | Status | Comments | 18 | |---------|--------|--------| 19 | | Strong Authentication | Optional | Via git repository manager | 20 | | MFA To Push Artifacts | Optional | Via git repository manager | 21 | | Security Contacts | No | | 22 | | Packages Can Notify of Security Issues | No | | 23 | | Code package tied to source code | Yes | | 24 | | Update notifications | No | | 25 | | Consumer Check Status of a Package | No | | 26 | | Code signing | ?? | | 27 | | Code analysis (static) | No | | 28 | | Code Dependency Analysis | Yes | | 29 | | Package Manager Does Not Run Code | Yes | | 30 | | Package Manager Does Not Collect Info | Yes | | 31 | | Project Roles Guide | No | | 32 | | Project Roles Review | No | | 33 | | Account Level Library Tagging | No | | 34 | --------------------------------------------------------------------------------