Blog

Secure Open Source Consumption: Level 1 of S2C2F

Nov 27 2023/opensource/5 min read
Secure Open Source Consumption: Level 1 of S2C2F
Uncover how to reach Level 1 in S2C2F a framework for secure OSS consumption.

Attacks targeting open source software (OSS) are on the rise, making the security of your software supply chain a top priority. What do you have to do, exactly, to secure your software supply chain?

This is the third blog in a Cloudsmith series about software supply chain security. The first blog gave an overview of the most common types of attacks on OSS. Next, we explored the Secure Supply Chain Consumption Framework (S2C2F), which is designed to mitigate against these attacks. 

Level 1 of S2C2F is the bare minimum organizations should do to securely consume OSS. Today's blog focuses on the actionable steps and essential tools required to attain Level 1. 

Level 1 primarily centers on the ingestion of OSS and requires the following:

  1. Use an artifact repository (like Cloudsmith!) to cache OSS
  2. Maintain an automated OSS inventory, such as a software bill of materials  (SBOM)
  3. Scan OSS for known vulnerabilities and licenses
  4. Update your vulnerabilities (manually is okay at this level)

A major step in Level 1 is the adoption of an artifact repository like Cloudsmith as a central location for all OSS packages. This facilitates applying security controls for your OSS, and guarantees the availability of OSS package dependencies and protects you from incidents like the npm left-pad vulnerability.

S2C2F

Let's refresh on the eight principles of S2C2F:

8 principles of the Secure Supply Chain Consumption Framework (S2C2F)
  1. Ingest — Consume your OSS from one location controlled by your organization, like Cloudsmith.
  2. Inventory — Create a list of all your OSS dependencies.
  3. Update — Update known vulnerabilities in a timely manner.
  4. Enforce — Force developers to adopt secure practices. 
  5. Audit — Audit that developers are consuming through the approved ingest method, and validate the integrity of the OSS that you are consuming.
  6. Scan — Scan for malware and vulnerabilities using automation where possible.
  7. Rebuild — Rebuild OSS on trusted infrastructure.
  8. Fix Upstream — Have the ability to fork and fix code, when necessary, for a temporary fix.

Steps to Level 1

Level 1 of the S2C2F concentrates on the Ingestion, Inventory, Scan and Update principles. The following initiatives are required:

Pre-assessment

Before you start implementing changes in your organization to align with S2C2F it is advised that you perform an assessment of the organization's degree of maturity in software developer OSS management, security, and consumption processes.

Ingest it

Package manager

Use a package manager to consume OSS packages. A package manager keeps track of what software is installed on your computer, and allows you to easily install new software, upgrade software to newer versions, or remove software that you previously installed. Scroll to the table below for a list of commonly used languages and their respective package format, registry, etc.  

Artifact repository

Use an artifact repository like Cloudsmith to host all of your software packages and OSS packages. To set up Cloudsmith to cache your upstream OSS, do the following:

  1. Update your software’s configuration file to point to your artifact repository (see the table below for the settings file for popular languages).
  2. Start hosting your OSS packages on Cloudsmith by caching your public repositories or upstreams. If the upstream repository you depend on goes down or is otherwise unavailable, your team can still access your cached versions stored in Cloudsmith. Cloudsmith will scan all the OSS packages for malware and vulnerabilities and also extract their licenses. This setup empowers our users to apply customized policies for enhanced security and management.

Inventory it

Automated OSS inventory

Level 1 of S2C2F requires organizations to maintain an automated inventory of all OSS used in development. There are a number of ways to take an inventory of your OSS

  1. The gold standard for inventorying your OSS is to generate a Software Bill of Materials (SBOM) at build time. An SBOM is an ingredient list of all the dependencies in your software in a standardized format. SBOMs are needed for more advanced levels of this framework. OSS tools to generate SBOMs that can be integrated into your CI/CD include Dependency-Track, cyclone dx tooling, syft and trivy.
  2. If you cache and proxy all the public registries that your organization uses on Cloudsmith, you can search for all packages that originated from an upstream via the UI or API by searching for tag:upstream (or even tag:maven-central if that's what you named the upstream when setting it up etc). 
  3. You can use your software’s dependency file (e.g. requirements.txt for Python builds) to see what dependencies your software is pulling in. This file may not include your software’s transitive dependencies (your dependencies’ dependencies).

Scan it

Scan for known vulnerabilities

Scan OSS for known vulnerabilities (i.e. CVEs, GitHub Advisories, etc.). Here are a few ways to do this:

  1. Ideally you are integrating scanning tools early in your software development process using free tools like grype or paid tools like snyk.
  2. Cloudsmith scans cached OSS for malware and vulnerabilities. You can set a policy so that all packages must be above a certain vulnerability level and you can rescan a package for vulnerabilities.

Scan for OSS licenses

Scan all the OSS in your organization for licenses.

  1. Cloudsmith will extract the license for all cached OSS packages. Cloudsmith’s license policies allow you to define which package licenses are allowed within your organization.
  2. Alternatively you can use OSS ScanCode to detect OSS  licenses. 

Update it

Update Manually

Update vulnerable OSS manually using the results of your scanners, Level 1 S2C2F requires you to update vulnerable OSS manually. The framework advises that every organization should aspire to patch vulnerable OSS packages in under 72 hours. More advanced levels of S2C2F require you to use tools like Dependabot to help you automate this process.

Tooling for Level 1 S2C2F

Ingest it Inventory it Scan it Update it
Cloudsmith
package managers		 Cloudsmith
Dependency-Track
CycloneDX
Syft
Trivy		 Cloudsmith
Grype
Snyk		 Manual (Dependabot for automation)
Package Information
Language Package Format Package Manager Public Registry Config File Dependancy File
Java JAR (Java Archive) Maven Maven Central settings.xml pom.xml
Python Wheel pip PyPI pip.conf requirements.txt
.Net (C#) NuGet NuGet NuGet Gallery NuGet.config packages.config
JavaScript/Node npm npm npm package.json package-lock.json
C/C++ No standardized format
vpkg and Conan are popular		 No standardized pm
vpkg and Conan are popular		 Conan
vcpkg		 conanfile.txt (for Conan), CMakeLists.txt (for CMake), vcpkg-configuration.json for vcpkg conanfile.txt (for Conan), CMakeLists.txt (for CMake)
Rust Crates Cargo Crates Cargo.toml Cargo.lock
Ruby Gem RubyGem RubyGem .gemrc Gemfile
Go Go Module go Go doesn't have a centralized registry go.mod go.sum
PHP Composer Composer Packagist composer.json composer.lock

By prioritizing ingestion, inventory management, and scanning, you'll bolster your software supply chain's resilience against potential threats. Leveraging package managers, artifact repositories like Cloudsmith, and automated inventory tools enhances security and guarantees availability when consuming OSS. 

What’s next from Cloudsmith?  In future blogs, we’ll discuss how you can achieve the advanced S2C2F framework levels, offering actionable steps to further enhance your OSS consumption practices and fortify your software ecosystem. Subscribe below!

Register here for our upcoming webinar on S2C2F with the creator of S2C2F and leader of the Secure Software Supply Chain team at Microsoft, Adrian Diglio. 

Picture of Ciara Carey
Read more byCiara Carey
Get our next blog straight to your inbox