Supply-Chain Firewall unverified package manager command
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
This rule detects instances of Supply-Chain Firewall running a package manager command without verification, which occurs when the underlying package manager is on an unsupported version. Supply-Chain Firewall was therefore unable to resolve the command’s installation targets, if any.
Strategy
This rule monitors Supply-Chain Firewall’s logs for @verified:false. This attribute is set only in cases when Supply-Chain Firewall was unable to verify a package manager command it executed.
Triage and response
- Examine the logs to determine the package manager command that was executed and whether the command may have installed packages.
- Determine whether any packages that were installed have associated security advisories using:
- Datadog Security Research’s public malicious packages dataset
- OSV.dev’s public API or website
- Based on the results of the previous step, take any necessary action to remediate the system where the command was executed.
- If possible, update the affected package manager to a supported version to take advantage of Supply-Chain Firewall verification.
