Create rule S7205: Dependencies should be verified against a known checksum or signature #4702
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
hendrik-buchwald-sonarsource
changed the title
pierre-loup-tristant-sonarsource
marked this pull request as ready for review
pierre-loup-tristant-sonarsource
changed the title
hendrik-buchwald-sonarsource
approved these changes
Feb 28, 2025
rules/S7205/kotlin/rule.adoc
Outdated
| @@ -0,0 +1,85 @@ | |||
| Software projects often rely on external code libraries, known as dependencies. Package managers such as Gradle, allow developpers to reference dependencies for their projects. | |||
There was a problem hiding this comment.
Suggested change
| Software projects often rely on external code libraries, known as dependencies. Package managers such as Gradle, allow developpers to reference dependencies for their projects. | |
| Software projects often rely on external code libraries, known as dependencies. Package managers, such as Gradle, allow developers to reference dependencies for their projects. |
rules/S7205/kotlin/rule.adoc
Outdated
|
|
||
| == Why is this an issue? | ||
|
|
||
| Failing to verify the integrity of dependencies before using them is a significant security problem. It exposes your application, and potentially your users, to several risks. The core issue is that you're running code from an untrusted source without checking it, effectively giving an attacker a direct pathway into your application. |
There was a problem hiding this comment.
Suggested change
| Failing to verify the integrity of dependencies before using them is a significant security problem. It exposes your application, and potentially your users, to several risks. The core issue is that you're running code from an untrusted source without checking it, effectively giving an attacker a direct pathway into your application. | |
| Failing to verify the integrity of dependencies before using them is a significant security problem. It exposes your application, and potentially your users, to several risks. The core issue is that you are running code from an untrusted source without checking it, effectively giving an attacker a direct pathway into your application. |
As per styling guide for RSPEC.
rules/S7205/kotlin/rule.adoc
Outdated
|
|
||
| Failing to verify the integrity of dependencies before using them is a significant security problem. It exposes your application, and potentially your users, to several risks. The core issue is that you're running code from an untrusted source without checking it, effectively giving an attacker a direct pathway into your application. | ||
|
|
||
| This is often a key component of what's called a "supply chain attack." The attacker isn't directly attacking your application. Instead, they're attacking a component you use. This is an important consideration because the attack's source is less obvious. You might diligently secure your own code, but overlook the risk introduced by external dependencies. |
There was a problem hiding this comment.
Suggested change
| This is often a key component of what's called a "supply chain attack." The attacker isn't directly attacking your application. Instead, they're attacking a component you use. This is an important consideration because the attack's source is less obvious. You might diligently secure your own code, but overlook the risk introduced by external dependencies. | |
| This is often a key component of what's called a "supply chain attack." The attacker is not directly attacking your application. Instead, they're attacking a component you use. This is an important consideration because the attack's source is less obvious. You might diligently secure your own code, but overlook the risk introduced by external dependencies. |
As per styling guide for RSPEC.
Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com>
|
|
| @@ -0,0 +1,9 @@ | |||
| Software projects often rely on external code libraries, known as dependencies. Package managers such as Gradle, allow developpers to reference dependencies for their projects. | |||
There was a problem hiding this comment.
Suggested change
| Software projects often rely on external code libraries, known as dependencies. Package managers such as Gradle, allow developpers to reference dependencies for their projects. | |
| Software projects often rely on external code libraries, known as dependencies. Package managers such as Gradle, allow developers to reference dependencies for their projects. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
You can preview this rule here (updated a few minutes after each push).
Review
A dedicated reviewer checked the rule description successfully for: