asf-tooling opened a new issue, #1070: URL: https://github.com/apache/tooling-trusted-releases/issues/1070
**ASVS Level(s):** L2-only **Description:** ### Summary Syft is installed by piping a remote shell script from GitHub directly into `sh`. While HTTPS and version pinning in the URL provide some protection, the script itself could be modified (e.g., via GitHub account compromise) without detection. The previous approach using `go install` (commented out) would have leveraged Go module checksums for integrity. Syft is the primary tool for generating SBOMs from release artifacts. A compromised syft binary could generate falsified SBOMs that hide vulnerable components. ### Details The issue exists in `Dockerfile.alpine` lines 37-39. Syft is installed via `curl | sh` pattern without hash verification of the installation script or resulting binary. ### Recommended Remediation Replace `curl | sh` pattern with direct binary download and hash verification: ```dockerfile # Add ENV variable for hash ENV SYFT_VERSION=1.38.2 ENV SYFT_SHA256="<obtain from official release page>" # Download tarball directly with hash verification RUN curl -sSfL "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz"; -o /tmp/syft.tar.gz && \ echo "${SYFT_SHA256} /tmp/syft.tar.gz" | sha256sum -c - && \ tar -xzf /tmp/syft.tar.gz -C /usr/local/bin syft && \ rm /tmp/syft.tar.gz ``` **Alternative:** Restore `go install` approach which provides Go module checksum verification: ```dockerfile RUN go install github.com/anchore/syft/cmd/syft@v${SYFT_VERSION} ``` This approach leverages Go's built-in integrity verification via module checksums. ### Acceptance Criteria - [ ] `curl | sh` pattern removed - [ ] Direct binary download with hash verification implemented - [ ] OR: `go install` approach restored with module checksum verification - [ ] SYFT_SHA256 ENV variable added (if using direct download) - [ ] Hash obtained from official GitHub release - [ ] Build fails if hash verification fails - [ ] Unit tests verify hash verification (if applicable) - [ ] Documentation updated with installation method ### References - Source reports: L2:15.1.2.md - Related findings: FINDING-200, FINDING-201 - ASVS sections: 15.1.2 ### Priority Medium --- --- **Triage notes:** get syft via a safer way -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
