You are only as secure as your weakest dependency; SLSA 4 artifacts can have SLSA 0 dependencies? #61
Comments
|
Hi Edward, thanks for your comment. This issue is discussed in the scope section.
Does that help? Is further clarification needed? |
|
Upon reflection this seems to make sense for prioritizing the workload, if nothing else. As long as people understand the SLSA is a metric of build system quality, not code quality, I think that will be helpful overall. However - I look at the results from Google's |
Fixes slsa-framework#107 by creating an attestation that indicates a `verifier` has determined that the specified `subject` artifact(s) meets the indicated SLSA level. In addition this attestation also indicates the minimum aggregate SLSA level met by the dependencies used to build the artifact which can help to address slsa-framework#61. This leaves a number of things up to the user: * What it means to evaluate an artifact against policy. (See slsa-framework#46) * How to communicate the attestations required to create this attestation. * How to debug failures I borrowed heavily from slsa.dev/provenance in terms of formatting/documentation. This attestation is based off or work done by @AdamZWu. Signed-off-by: Tom Hennen <[email protected]>
Fixes slsa-framework#107 by creating an attestation that indicates a `verifier` has determined that the specified `subject` artifact(s) meets the indicated SLSA level. In addition this attestation also indicates the minimum aggregate SLSA level met by the dependencies used to build the artifact which can help to address slsa-framework#61. This leaves a number of things up to the user: * What it means to evaluate an artifact against policy. (See slsa-framework#46) * How to communicate the attestations required to create this attestation. * How to debug failures I borrowed heavily from slsa.dev/provenance in terms of formatting/documentation. If desired I can provide detailed algorithms for how the minimum_* fields could be computed. This attestation is based on work done by @AdamZWu. Signed-off-by: Tom Hennen <[email protected]>
My experience of several real supply-chain vulnerabilities is that integrity of the finished product depends on the whole supply chain. In particular, incidents like left-pad,
shared-mime-info, and a host of others have seen
substantial disruptions as a result of problems deep in the dependency tree.
With that in mind, I have a hard time seeing how SLSA levels can reasonably be independent of the quality assessment of the dependencies they rely on. If I read things right, you could have an SLSA 4 rating on a final product, but that rating could include components that were unrated or SLSA 0 or even I guess known to have problems.
Did I miss something crucial here? I just don't see the point of having hypercorrect build patterns for the finished product if the components it's being built from are not adequately testable.
The text was updated successfully, but these errors were encountered: