Skip to content

Latest commit

 

History

History
128 lines (99 loc) · 6.37 KB

mitigations.md

File metadata and controls

128 lines (99 loc) · 6.37 KB

Mitigation Strategies Analysis for microsoft/vcpkg

Mitigation Strategy: Use a Private vcpkg Registry

1. Mitigation Strategy: Use a Private vcpkg Registry

  • Description:

    1. Set up a private registry server: (Details omitted, as this is external to vcpkg)
    2. Configure the registry: (Details omitted, as this is external to vcpkg)
    3. Populate the registry:
      • Initial population: Download source, audit, and build using vcpkg.
      • Build the package: Use vcpkg install <package> --triplet <triplet> to build the package from the audited source code. Use the appropriate triplet for your target platform.
      • Upload to the registry: (Details omitted, as this is external to vcpkg)
    4. Configure vcpkg to use the private registry:
      • Set environment variables: This is the direct vcpkg interaction. Set VCPKG_DEFAULT_BINARY_CACHE and VCPKG_BINARY_SOURCES. Example: 
        export VCPKG_DEFAULT_BINARY_CACHE=https://your-private-registry/vcpkg-cache
export VCPKG_BINARY_SOURCES="clear;your-private-registry-source"
      • Test the configuration: Run vcpkg install <package> to verify.
    5. Maintain the registry: (Details omitted, as this is largely external to vcpkg)

  • Threats Mitigated:

    • Dependency Confusion/Substitution (High Severity)
    • Supply Chain Attacks (High Severity)
    • Outdated/Vulnerable Dependencies (Medium Severity)

  • Impact:

    • Dependency Confusion/Substitution: Risk reduced to near zero.
    • Supply Chain Attacks: Risk significantly reduced.
    • Outdated/Vulnerable Dependencies: Risk moderately reduced.

  • Currently Implemented: Not Implemented.

  • Missing Implementation: Entire strategy is missing. Requires setting environment variables for all vcpkg usage.

Mitigation Strategy: Binary Caching with Verification

2. Mitigation Strategy: Binary Caching with Verification

  • Description:

    1. Choose a binary cache provider: (Details omitted, as this is external to vcpkg)
    2. Configure the binary cache: (Details omitted, as this is external to vcpkg)
    3. Enable signature verification: (Details omitted, as this is external to vcpkg)
    4. Configure vcpkg:
      • Set the VCPKG_BINARY_SOURCES environment variable: This is the direct vcpkg interaction. Example with Azure Artifacts: 
        export VCPKG_BINARY_SOURCES="clear;nuget,https://your-nuget-feed/index.json,readwrite"
      • Configure authentication: Provide credentials (e.g., through environment variables or configuration files, depending on the provider and vcpkg's integration).
    5. Build and upload signed packages:
      • Use vcpkg with a signing tool. The specifics depend on the tool, but the interaction with vcpkg is to build the package as usual; the signing happens as a pre- or post-build step.
      • Upload using the provider's tools (not directly vcpkg).
    6. Test the configuration: Run vcpkg install <package>. vcpkg should download and verify the signature.

  • Threats Mitigated:

    • Supply Chain Attacks (High Severity)
    • Tampering (High Severity)

  • Impact:

    • Supply Chain Attacks: Risk significantly reduced.
    • Tampering: Risk reduced to near zero.

  • Currently Implemented: Partially Implemented (caching enabled, but no signature verification).

  • Missing Implementation: Signature verification. Requires setting VCPKG_BINARY_SOURCES to a provider supporting verification and configuring signing.

Mitigation Strategy: Explicitly Specify Package Versions (and Hashes)

3. Mitigation Strategy: Explicitly Specify Package Versions (and Hashes)

  • Description:

    1. Edit vcpkg.json: This is the direct vcpkg interaction.
    2. Specify exact versions: Use the "version" field within the "overrides" section for each dependency. 
      {
  "dependencies": [
    { "name": "fmt", "version>=": "8.1.1", "overrides": [{"name": "fmt", "version": "8.1.1"}] }
  ]
}
    3. Use builtin-baseline: Add the builtin-baseline field and set it to a commit hash. 
      {
  "name": "my-project",
  "version": "1.0.0",
  "builtin-baseline": "a1b2c3d4e5f6...", // Commit hash
  "dependencies": [ /* ... */ ]
}
    4. Verify with dry-run (Optional): Use vcpkg install --triplet <triplet> --dry-run.
    5. Commit changes: Commit the updated vcpkg.json.

  • Threats Mitigated:

    • Dependency Confusion/Substitution (Medium Severity)
    • Outdated/Vulnerable Dependencies (Medium Severity)

  • Impact:

    • Dependency Confusion/Substitution: Risk moderately reduced.
    • Outdated/Vulnerable Dependencies: Risk moderately reduced.

  • Currently Implemented: Partially Implemented (some versions specified, builtin-baseline missing).

  • Missing Implementation: Full version specification and builtin-baseline in vcpkg.json.

Mitigation Strategy: Regularly Update vcpkg and Packages

4. Mitigation Strategy: Regularly Update vcpkg and Packages

  • Description:

    1. Update vcpkg:
      • Run git pull within the vcpkg directory. This is the direct vcpkg interaction.
    2. Update packages:
      • Run vcpkg update. This is the direct vcpkg interaction.
      • Run vcpkg upgrade. This is the direct vcpkg interaction.
    3. Establish a schedule: (Details omitted, as this is a process issue)
    4. Automate (Optional): (Details omitted, as this is external to vcpkg)

  • Threats Mitigated:

    • Outdated/Vulnerable Dependencies (High Severity)

  • Impact:

    • Outdated/Vulnerable Dependencies: Risk significantly reduced.

  • Currently Implemented: Not Implemented.

  • Missing Implementation: Requires regular execution of git pull, vcpkg update, and vcpkg upgrade.