OSTIF is proud to share the results of our security audit of Cloud Native Buildpacks. Cloud Native Buildpacks (or “Buildpacks”) is an open source tool for making container images for any cloud directly from the application source code. With the help of Quarkslab and the Cloud Native Computing Foundation (CNCF), this project has fulfilled a requirement of a third-party audit for graduation as well as hardened security and overall improved project health.
Audit Process:
Quarkslab completed static and dynamic analysis for this audit of Cloud Native Buildpacks’ lifecycle and pack components, manually reviewing code as well as performing automated static analysis of the project’s workflow. The manual review and testing of the workflow was done after creating a threat model of the project, which was reviewed and refined with the Buildpacks team. Specifically identified were trusted and untrusted workflows, which pointed to the critical assets of Buildpacks. This information helps security researchers define the scope of possible threat actors and their achievable actions to further refine and point to deficient code or functions.
Audit Results:
- Detailed Threat Model of Cloud Native Buildpacks
- 10 total findings with a security impact, 8 vulnerabilities
- 2 High, 2 Medium, 4 Low, and 2 Informational
- All logical vulnerabilities located in the CNB workflow in CI/CD pipeline
- Recommendations for fixes of all 10 logged issues
- Recommendations for further and future security work and efforts
Quarkslab noted in their report that overall Buildpacks exhibited good qualities of the specification and source code, with no major issues in the project’s stand alone usage. As Buildpacks works towards graduation status through the CNCF, we hope their users and community continue to support this and other open source projects as they work to improve and harden their security and life cycles.
Early this week, Cloud Native Buildpacks cut releases to fix several issues identified in this engagement (see the milestones for pack 0.35.0 and lifecycle 0.20.0). If you are a user of this project, please update. The Cloud Native Buildpacks’ maintainers quick address of the reported issues makes this audit even more impactful.
Thank you to the individuals and groups that made this engagement possible:
- Buildpacks maintainers and community- specifically Terence Lee and Natalie Arellano
- Quarkslab- Pauline Sauder, Mihail Kirov, and Sébastien Rolland
- The Cloud Native Computing Foundation
You can read the Audit Report HERE
You can read Quarkslab’s Blog HERE
You can read Cloud Native Buildpack’s blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting more critical work, contact [email protected].