asf-tooling opened a new issue, #1069: URL: https://github.com/apache/tooling-trusted-releases/issues/1069
**ASVS Level(s):** L2-only **Description:** ### Summary The CycloneDX CLI binary is downloaded from GitHub without any hash or signature verification. The code includes an explicit `# TODO: Check hash` comment acknowledging this gap. A compromised GitHub release or MITM attack could inject a malicious binary into the build. If the CycloneDX CLI binary is tampered with at the source, ATR would incorporate a potentially malicious binary into its Docker image that processes SBOM data. ### Details The issue exists in `Dockerfile.alpine` lines 45-48. The CycloneDX CLI is downloaded via curl without hash verification, despite a TODO comment indicating this is a known gap. ### Recommended Remediation Add SHA256 hash verification for CycloneDX CLI download: ```dockerfile # Add ENV variable for hash ENV CDXCLI_VERSION=0.29.1 ENV CDXCLI_SHA256="<obtain from official release page>" # Download and verify RUN curl -L "https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CDXCLI_VERSION}/cyclonedx-linux-musl-x64"; -o /usr/local/bin/cyclonedx && \ echo "${CDXCLI_SHA256} /usr/local/bin/cyclonedx" | sha256sum -c - && \ chmod +x /usr/local/bin/cyclonedx ``` To obtain the hash: 1. Visit the official GitHub release page 2. Download the binary manually 3. Calculate hash: `sha256sum cyclonedx-linux-musl-x64` 4. Add hash to Dockerfile ENV variable ### Acceptance Criteria - [ ] CDXCLI_SHA256 ENV variable added to Dockerfile - [ ] Hash verification added to curl download command - [ ] Hash obtained from official GitHub release - [ ] Build fails if hash verification fails - [ ] Unit tests verify hash verification (if applicable) - [ ] Documentation updated with hash verification requirement - [ ] TODO comment removed ### References - Source reports: L2:15.1.2.md - Related findings: FINDING-200, FINDING-202 - ASVS sections: 15.1.2 ### Priority Medium --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
