-
Notifications
You must be signed in to change notification settings - Fork 218
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
content: refactor threat diagram and add overview (#1057)
Refactor the threat diagram to address clarity concerns and to expand it beyond tampering. The intent is that this threat model can be useful for any software supply chain security effort. Many of the threats previously called "out of scope" should be listed here, even if the SLSA ladder does not (yet!) cover them. NOTE: this is a partial solution, but more work is needed. I want to at least merge what we have so far so that others can iterate on it. This design is the result of much discussion on Slack. Thank you to @adityasaky, @arewm, @david-a-wheeler, @jkjell, @mlieberman85, @marcelamelara, and @trishankatdatadog for your contributions and suggestions. Summary of major changes: * Add threat indicators for Producer and Consumer, remove for Dependencies. * Rename "Package" to "Distribution". * Rewrite titles to describe the position rather than the tampering threat. Detailed diagram changes: * Update the threat markers: - Add a threat for Producer to cover malicious intent. For example, if you install malware, it's not tampering---the producer really did intend to write malware, and no amount of code review will "fix" that! (Previously this was called "out of scope".) - Add a threat for Consumer to cover...? It makes the diagram nicer and I assume we want something here, but I don't know what that is yet! - Remove the threat for Dependency, since it generated a lot of confusion. The intent was that it is recursive, so the hope is that the diagram and text make this clear enough. - Re-letter the threat markers accordingly. - Update the threat titles to describe the position rather than the tampering threat. The old titles generated a lot of disagreement, and they relied on understanding the non-obvious interpretation of the model. Now, the new titles just describe that model, which is hopefully more clear to everyone. * Rename "Package" to "Distribution" to better reflect what that box means. * Move the arrow from Distribution to Dependency to make it clear that (H) is also recursive. - Also make the arrow solid instead of dashed, but keep the dashed box around Dependency. The idea is that the use of the dependency is a real input to the build, while Dependency itself is really just another package. * Move "build params" to "Build threats" instead of "Source threats", and add new "Usage threats" category. * (minor) Use the same green color throughout, rather than having a slightly different green color for arrows. Text changes: * Add an overview section that explains a bit more about the threat model. * Add Dependency Confusion. * Update text to match the new diagram (only partially done). Signed-off-by: Mark Lodato <lodato@google.com>
- Loading branch information
1 parent
d28bc77
commit 96cdd13
Showing
7 changed files
with
269 additions
and
182 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
106 changes: 55 additions & 51 deletions
106
docs/spec/v1.1/images/supply-chain-threats-build-verification.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.