Skip to content

Commit fdc7354

Browse files
gbennett-squarespacegbennett-squarespace
authored
Package manager cooldown (#3805)
* Add in rules for package managers for cooldown (and a few other rules for pnpm) * Revert .gitignore * Update Dependabot configuration message for cooldown Clarified the message regarding the cooldown period for Dependabot updates. * Update bun-missing-minimum-release-age.yaml warning Consolidate warning message for missing minimum release age. * Update pnpm-block-exotic-sub-dependencies message Clarify the message for the pnpm-block-exotic-sub-dependencies rule. * Add warning for missing minimum release age in pnpm config Added a warning about missing minimum release age in pnpm configuration. * Revise pnpm trust policy message Updated trust policy message to include guidance on setting 'trustPolicy: no-downgrade' for security. * Update renovate config to include minimum release age Document the minimum release age for package updates. * Simplify dependency cooldown message in YAML Updated message to simplify instructions for setting a dependency cooldown in uv. * Remove example for npmMinimalAgeGate Removed example for npmMinimalAgeGate in the YAML configuration. * Add in .npmrc rule * Simplify branch one, teach it to not pick up blank lines, minor pedantic linting.
1 parent 96c3d0f commit fdc7354

18 files changed

Lines changed: 1295 additions & 0 deletions

package_managers/bun/bun-missing-minimum-release-age.test.toml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
---
2+
# ruleid: bun-missing-minimum-release-age
3+
[install]
4+
production = true
5+
6+
---
7+
[install]
8+
# ok: bun-missing-minimum-release-age
9+
minimumReleaseAge = 604800
10+
11+
---
12+
[install]
13+
# ok: bun-missing-minimum-release-age
14+
minimumReleaseAge = 1000000
15+
16+
---
17+
[install]
18+
# ruleid: bun-missing-minimum-release-age
19+
minimumReleaseAge = 86400
20+
21+
---
22+
[install]
23+
# ruleid: bun-missing-minimum-release-age
24+
minimumReleaseAge = 0
25+
26+
---
27+
[install]
28+
# ruleid: bun-missing-minimum-release-age
29+
minimumReleaseAge = "7 days"
30+
31+
---
32+
[install]
33+
# ruleid: bun-missing-minimum-release-age
34+
minimumReleaseAge =
35+
36+
---
37+
[install]
38+
# ok: bun-missing-minimum-release-age
39+
minimumReleaseAge = 604800 # 7 days in seconds
40+
41+
---
42+
[install]
43+
# ruleid: bun-missing-minimum-release-age
44+
minimumReleaseAge = 604799 # 7 days in seconds

package_managers/bun/bun-missing-minimum-release-age.yaml

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
---
2+
rules:
3+
- id: bun-missing-minimum-release-age
4+
pattern-either:
5+
# Branch 1: Missing minimumReleaseAge in [install]
6+
- patterns:
7+
- pattern-regex: '(?ms)\[install\](?P<TARGET>[^\[]*?)(?=\[|\z)'
8+
- metavariable-regex:
9+
metavariable: $TARGET
10+
regex: '^(?![\s\S]*minimumReleaseAge)'
11+
- focus-metavariable: $TARGET
12+
13+
# Branch 2: Value too low
14+
- patterns:
15+
- pattern-regex: 'minimumReleaseAge\s*=\s*\d+'
16+
- pattern-regex: '=\s*(?P<AGE>\d+)'
17+
- metavariable-comparison:
18+
metavariable: $AGE
19+
comparison: int($AGE) < 604800
20+
- focus-metavariable: $AGE
21+
22+
# Branch 3: Invalid format (non-numeric)
23+
- patterns:
24+
- pattern-regex: '(?m)minimumReleaseAge[ \t]*=[ \t]*(?P<VAL>[^\s\d][^\n]*)'
25+
- focus-metavariable: $VAL
26+
27+
# Branch 4: Empty value
28+
- patterns:
29+
- pattern-regex: '(?m)minimumReleaseAge\s*=\s*$'
30+
31+
message: >-
32+
This bunfig.toml does not set a minimum release age or sets it too low.
33+
Newly published packages can be malicious or unstable. Add
34+
`minimumReleaseAge = 604800` under the `[install]` section to wait 7 days
35+
before resolving newly published package versions.
36+
Added in: v1.3 Reference: https://bun.sh/docs/runtime/bunfig
37+
languages:
38+
- generic
39+
severity: MEDIUM
40+
paths:
41+
include:
42+
- "**/bunfig.toml"
43+
- "**/.bunfig.toml"
44+
metadata:
45+
category: security
46+
technology:
47+
- bun
48+
- javascript
49+
cwe:
50+
- "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
51+
owasp:
52+
- A08:2021 - Software and Data Integrity Failures
53+
confidence: HIGH
54+
likelihood: LOW
55+
impact: HIGH
56+
subcategory:
57+
- audit
58+
vulnerability_class:
59+
- Insecure Configuration
60+
references:
61+
- https://bun.sh/docs/runtime/bunfig

package_managers/dependabot/dependabot-missing-cooldown.test.yaml

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
---
2+
version: 2
3+
updates:
4+
# ok: dependabot-missing-cooldown
5+
- package-ecosystem: "npm"
6+
directory: "/"
7+
schedule:
8+
interval: "weekly"
9+
cooldown:
10+
default-days: 7
11+
12+
---
13+
version: 2
14+
updates:
15+
# ok: dependabot-missing-cooldown
16+
- package-ecosystem: "pip"
17+
cooldown:
18+
default-days: 7
19+
directory: "/"
20+
schedule:
21+
interval: "weekly"
22+
# ok: dependabot-missing-cooldown
23+
- package-ecosystem: "docker"
24+
directory: "/"
25+
groups:
26+
dependencies:
27+
patterns:
28+
- "*"
29+
schedule:
30+
interval: "weekly"
31+
cooldown:
32+
default-days: 7
33+
34+
---
35+
version: 2
36+
updates:
37+
# ok: dependabot-missing-cooldown
38+
- package-ecosystem: "pip"
39+
cooldown:
40+
default-days: 7
41+
directory: "/"
42+
schedule:
43+
interval: "weekly"
44+
# ruleid: dependabot-missing-cooldown
45+
- package-ecosystem: "docker"
46+
directory: "/"
47+
schedule:
48+
interval: "weekly"
49+
50+
---
51+
version: 2
52+
updates:
53+
# ruleid: dependabot-missing-cooldown
54+
- package-ecosystem: "pip"
55+
directory: "/"
56+
schedule:
57+
interval: "weekly"
58+
59+
---
60+
version: 2
61+
updates:
62+
# ok: dependabot-missing-cooldown
63+
- package-ecosystem: "pip"
64+
cooldown:
65+
default-days: 7
66+
directory: "/"
67+
schedule:
68+
interval: "weekly"
69+
70+
---
71+
version: 2
72+
updates:
73+
# ok: dependabot-missing-cooldown
74+
- package-ecosystem: "pip"
75+
directory: "/"
76+
cooldown:
77+
default-days: 7
78+
schedule:
79+
interval: "weekly"
80+
81+
---
82+
version: 2
83+
updates:
84+
# ok: dependabot-missing-cooldown
85+
- package-ecosystem: "pip"
86+
directory: "/"
87+
schedule:
88+
interval: "weekly"
89+
cooldown:
90+
default-days: 7
91+
92+
---
93+
version: 2
94+
updates:
95+
- package-ecosystem: "npm"
96+
directory: "/"
97+
cooldown:
98+
# ruleid: dependabot-missing-cooldown
99+
default-days: 3
100+
101+
---
102+
version: 2
103+
updates:
104+
- package-ecosystem: "npm"
105+
directory: "/"
106+
cooldown:
107+
# ruleid: dependabot-missing-cooldown
108+
default-days: null
109+
110+
---
111+
version: 2
112+
updates:
113+
- package-ecosystem: "npm"
114+
directory: "/"
115+
cooldown:
116+
# ruleid: dependabot-missing-cooldown
117+
default-days: "banana"

package_managers/dependabot/dependabot-missing-cooldown.yaml

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
---
2+
rules:
3+
- id: dependabot-missing-cooldown
4+
pattern-either:
5+
# Branch 1: Missing cooldown
6+
- patterns:
7+
- pattern-inside: |
8+
updates:
9+
...
10+
- pattern: |
11+
- package-ecosystem: $ECOSYSTEM
12+
...
13+
- pattern-not: |
14+
- package-ecosystem: $ECOSYSTEM
15+
...
16+
cooldown:
17+
...
18+
...
19+
20+
# Branch 2: default-days too low
21+
- patterns:
22+
- pattern-inside: |
23+
updates:
24+
...
25+
- pattern-regex: 'default-days\s*:\s*(?P<DAYS>\d+)'
26+
- metavariable-comparison:
27+
metavariable: $DAYS
28+
comparison: int($DAYS) < 7
29+
- focus-metavariable: $DAYS
30+
31+
# Branch 3: Invalid default-days value
32+
- patterns:
33+
- pattern-inside: |
34+
updates:
35+
...
36+
- pattern: |
37+
cooldown:
38+
default-days: $DAYS
39+
- metavariable-regex:
40+
metavariable: $DAYS
41+
regex: '^\D'
42+
- focus-metavariable: $DAYS
43+
44+
message: >-
45+
This Dependabot configuration does not set a cooldown period. Newly
46+
published packages can be malicious or unstable. Add a `cooldown` block
47+
with `default-days: 7` to each `package-ecosystem` entry under `updates` to wait 7 days
48+
before proposing updates to newly published package versions.
49+
Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown
50+
languages:
51+
- yaml
52+
severity: MEDIUM
53+
paths:
54+
include:
55+
- "**/.github/dependabot.yml"
56+
- "**/.github/dependabot.yaml"
57+
metadata:
58+
category: security
59+
technology:
60+
- dependabot
61+
cwe:
62+
- "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
63+
owasp:
64+
- A08:2021 - Software and Data Integrity Failures
65+
confidence: HIGH
66+
likelihood: LOW
67+
impact: HIGH
68+
subcategory:
69+
- audit
70+
vulnerability_class:
71+
- Insecure Configuration
72+
references:
73+
- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown

package_managers/npm/npm-missing-minimum-release-age.test.npmrc

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
---
2+
# ruleid: npm-missing-minimum-release-age
3+
production = true
4+
5+
---
6+
# ok: npm-missing-minimum-release-age
7+
min-release-age=7 # days
8+
9+
---
10+
# ok: npm-missing-minimum-release-age
11+
min-release-age=7
12+
13+
---
14+
# ok: npm-missing-minimum-release-age
15+
min-release-age=1000
16+
17+
---
18+
# ruleid: npm-missing-minimum-release-age
19+
min-release-age = 6
20+
21+
---
22+
# ruleid: npm-missing-minimum-release-age
23+
min-release-age = 0
24+
25+
---
26+
# ruleid: npm-missing-minimum-release-age
27+
min-release-age = "7 days"
28+
29+
---
30+
# ruleid: npm-missing-minimum-release-age
31+
min-release-age =
32+
33+
---
34+
# ruleid: npm-missing-minimum-release-age
35+
min-release-age = null
36+
37+
---
38+
# ok: npm-missing-minimum-release-age
39+
min-release-age = 604800 # 7 days in seconds, ironically okay
40+
41+
---
42+
# ruleid: npm-missing-minimum-release-age
43+
min-release-age=3d
44+
45+
---
46+
# ruleid: npm-missing-minimum-release-age
47+
min-release-age=-1
48+
49+
---
50+
# ruleid: npm-missing-minimum-release-age
51+
registry=https://registry.npmjs.org/
52+
save-exact=true
53+
audit=true
54+
fund=false
55+
56+
---
57+
# ok: npm-missing-minimum-release-age
58+
registry=https://registry.npmjs.org/
59+
save-exact=true
60+
min-release-age=7
61+
audit=true
62+
fund=false
63+
64+
---
65+
@myorg:registry=https://npm.pkg.github.com
66+
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}
67+
save-exact=true
68+
# ruleid: npm-missing-minimum-release-age
69+
min-release-age=3
70+
71+
---
72+
@myorg:registry=https://npm.pkg.github.com
73+
//npm.pkg.github.com/:_authToken=${NPM_TOKEN}
74+
save-exact=true
75+
# ruleid: npm-missing-minimum-release-age
76+
min-release-age=
77+
78+
---
79+
# ruleid: npm-missing-minimum-release-age
80+
registry=https://registry.npmjs.org/
81+
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
82+
@myorg:registry=https://npm.pkg.github.com
83+
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
84+
node-version=20

0 commit comments

Comments
 (0)