tools-deps

Discuss tools.deps.alpha, tools.build, and the clj/clojure command-line scripts! See also #depstar #clj-new
zane 2021-02-15T05:25:10.303700Z

@seancorfield I believe the Clojure tools use the HTTP client part of Jetty via com.cognitect/http-client.

zane 2021-02-15T05:30:26.304400Z

@seancorfield The context is that we’re trying to ship a Docker image to a partner. They ran a Twistlock security scan on it and it reported that the container contains a version of Jetty that has a vulnerability.

seancorfield 2021-02-15T05:31:02.304600Z

Interesting. OK, so clojure -Stree -A:deps should do it.

zane 2021-02-15T05:31:15.304800Z

It doesn’t actually tell you where in the container it found the offending copy of Jetty, but we looked around and there appears to be a copy in /usr/local/lib/clojure/libexec/clojure-tools-1.10.2.774.jar.

seancorfield 2021-02-15T05:31:37.305Z

That will pull in the version of tools.deps.alpha used by the tools and show the dependency tree.

zane 2021-02-15T05:31:46.305200Z

It’s not in our application’s dependencies, so clojure -Stree -A:deps shouldn’t show it, right?

zane 2021-02-15T05:32:09.305400Z

-Stree includes the tools’ dependencies as well?

seancorfield 2021-02-15T05:32:11.305600Z

org.eclipse.jetty/jetty-client 9.4.24.v20191120

seancorfield 2021-02-15T05:32:26.305800Z

-A:deps brings in t.d.a so it shows up in -Stree

zane 2021-02-15T05:32:30.306Z

Ahhh.

zane 2021-02-15T05:32:33.306200Z

That’s what I was missing.

zane 2021-02-15T05:32:53.306400Z

Okay, great. That matches what I found with find … | xargs jar --list --file.

seancorfield 2021-02-15T05:33:07.306600Z

And, yes, that is a transitive dep of the cognitect http client. TIL!

zane 2021-02-15T05:33:36.306800Z

Yeah, it was news to me as well.

zane 2021-02-15T05:34:11.307200Z

Seems like a vulnerability is with the server part of Jetty. Wish me luck trying to convince their security team that the Clojure CLI tools are benign. 😅

seancorfield 2021-02-15T05:40:28.307500Z

FWIW, the latest com.cognitect/http-client is 0.1.105 (t.d.a. uses 0.1.104) and that later version uses org.eclipse.jetty/jetty-client 9.4.27.v20200227

seancorfield 2021-02-15T05:42:41.307700Z

That's still in the range affected (but, again, is the client not the server).

seancorfield 2021-02-15T05:44:18.307900Z

(this made me check what version of Jetty we're using at work -- we tend to update lib deps regularly -- and we're on 9.4.36 which is after that vuln was fixed!)

2021-02-15T06:11:33.308100Z

That vuln is about the way jetty unpacks war files in the temp directory, if you don't use war files, no problem

2021-02-15T06:11:55.308300Z

It effects jetty-runner

borkdude 2021-02-15T11:07:08.309400Z

FYI, we now got rid of the CLJ_CONFIG hack in our mono-repo project by generating the deps.edns with babashka. It takes a map with default versions from another deps.end and merges those into the subproject deps.edn. https://gist.github.com/borkdude/58f099b2694d206e6eec18daedc5077b

seancorfield 2021-02-15T21:35:01.310800Z

I seem to recall that t.d.a checks Maven Central before it checks Clojars but what does it do about other :mvn/repos provided via deps.edn files?

seancorfield 2021-02-15T21:41:43.311900Z

Answering my own question: looks like it has code to turn the :mvn/repos hash map into a sequence that is always "central", "clojars", followed by any other repos you specify?

seancorfield 2021-02-15T21:43:39.313900Z

It seems like that would allow malicious actors to upload to Clojars an artifact that shadowed something in your private repo and deliver it without you really noticing? (I was just reading the stuff about npm, PyPI etc where the researcher subverted private artifacts for a bunch of companies)

seancorfield 2021-02-15T21:45:40.314Z

Thanks. I thought it had been discussed recently and I had read part of that thread before but not all of it.

seancorfield 2021-02-15T21:46:36.314200Z

So it still seems like someone who knew that Acme Inc was pulling some/thing 1.2.3 from their private repo could upload a fake some/thing 1.2.3 to Clojars and get into Acme's code that way...?

nnichols 2021-02-15T21:48:01.314400Z

The access tokens are scoped to the groups each artifact falls beneath, which helps; however, if you org has no presence on clojars, there’s no DNS/ownership validation. So, it would be possible for a former employee of Acme to publish that dep + version to clojars

seancorfield 2021-02-15T21:48:26.314600Z

Yup, that was what I was thinking...

nnichols 2021-02-15T21:48:40.314800Z

I really, really hope com / org / etc are restricted group names

seancorfield 2021-02-15T21:50:00.315Z

Well, it's not about that per se: if Acme Inc were using arbitrary group/artifact IDs in their internal private repo, such as department names and project names, then it's not even tied to their reverse domain.

seancorfield 2021-02-15T21:50:32.315200Z

I mean, I know that's probably bad practice on their part, but I suspect that's common practice.

nnichols 2021-02-15T21:50:45.315400Z

You’re probably right on that one

2021-02-15T21:51:01.315600Z

maven does allow for jar signing, and clojars even really pushes you to do it

seancorfield 2021-02-15T21:51:18.315800Z

https://github.com/clojure/tools.deps.alpha/blob/master/src/main/clojure/clojure/tools/deps/alpha/util/maven.clj#L126-L131 -- It would seem to be safer if the ordering here was central, then user-supplied repos, then clojars to avoid the supply chain issue?

seancorfield 2021-02-15T21:51:43.316100Z

Clojars long ago dropped any coercion to sign JAR files.

2021-02-15T21:52:06.316300Z

yeah, no one is checking signatures, and it annoys everyone

seancorfield 2021-02-15T21:52:09.316500Z

It used to have a two tier system where only signed JARs could be "promoted" to the top tier, but that's all gone.

nnichols 2021-02-15T21:52:41.316700Z

Any reason not to have user-supplied first? (Unless signature warnings are provided by the toolchain, I’m not sure how many devs would notice)

seancorfield 2021-02-15T21:53:09.316900Z

I would say we'd want to discourage shadowing of central?

seancorfield 2021-02-15T21:53:40.317100Z

But shadowing Clojars with an in-house repo seems acceptable/safer maybe.

seancorfield 2021-02-15T21:54:44.317300Z

(I have no dog in this fight: we no longer have an in-house repo/proxy service so pushing something to Clojars cannot intercept a dependency from a custom repo any more for us)

nnichols 2021-02-15T21:54:58.317500Z

Central had a minor incident is the only reason I question it: https://securityboulevard.com/2021/01/sonatype-stops-software-supply-chain-attack-aimed-at-the-java-developer-community/

2021-02-15T21:55:33.317800Z

moving the repos around doesn't really solve the issue though, if you put used defined repos before clojars, then some third party repo the user adds could be used to shadow some package in clojars

nnichols 2021-02-15T21:57:17.318Z

Yeah, I guess I’m strictly assuming that the only other real mvn/repos addition in this case is something like a private/internal artifactory that’d be sparsely populated

seancorfield 2021-02-15T21:57:38.318200Z

Yeah, that was my thinking too.

2021-02-15T21:57:51.318400Z

part of the reason the supply chain attack was so effective on other tooling is node and whatever python's package manager is both allow fetched packages to execute code as part of their build

seancorfield 2021-02-15T22:00:23.318700Z

In Central's "minor incident" that relied on devs searching Maven and mistaking the fake plugin artifact for the real one -- and stupidly adding a dependency on com.github.codingandcoding/something into their project at work. You can't protect against that sort of thing really.

seancorfield 2021-02-15T22:01:23.318900Z

(not that Central's massive range of group IDs isn't confusing at times with an artifact ID appearing under multiple group IDs due to not being unique enough or a project migrating from one org to another)

2021-02-15T22:01:24.319100Z

the problem of using names assigned to the content of files instead of names derived from the contents of files

seancorfield 2021-02-15T22:01:47.319300Z

Aye.