Merge branch 'main' into WwyOzd7TG1

Signed-off-by: Andrés Vega <av@messier42.com>

Author: anvega

.github/auto_request_review.yml

@@ -25,6 +25,7 @@ reviewers:
       - mlieberman85
       - ragashreeshekar
       - sublimino
+      - eddie-knight
     supply-chain-security-reviewers:
       - mnm678
       - mlieberman85

CODEOWNERS

@@ -1,4 +1,4 @@
-# CNCF Security Technical Advisory Group
+# Security Technical Advisory Group
 
 ![Cloud Native Security Logo](/design/logo/cloud-native-security-horizontal-darkmodesafe.svg)
 
@@ -41,7 +41,7 @@ There is a growing ecosystem of tools that promises to unlock developer producti
 ## Publications
 
 TAG Security has published several resources for the community, which can be
-found in the [publications](PUBLICATIONS.md) document.
+found under [publications](publications/README.md).
 
 ## Governance
 
@@ -122,32 +122,37 @@ seen [here](governance/related-groups/README.md)
 
 ### Security TAG Chairs
 
-- Andrew Martin ([@sublimino](https://github.com/sublimino)), ControlPlane [Chair term: 3/17/2022 - 3/17/2024]
-- Pushkar Joglekar ([@PushkarJ](https://github.com/PushkarJ)), Independent [Chair term: 6/3/2023 - 6/3/2025]
-- Marina Moore ([@mnm678](https://github.com/mnm678)), NYU [Chair term: 10/3/2023 - 10/3/2025]
+| Name                  | Organization            | Term                | Handle    |
+|-----------------------|------------------------|---------------------|-----------|
+| Pushkar Joglekar      | Independent            | June, 2023 - June, 2025 | @PushkarJ |
+| Marina Moore          | Independent                  | October, 2023 - October, 2025 | @mnm678   |
+| Eddie Knight          | Sonatype               | May, 2024 - May, 2026 | @eddie-knight |
+
 
 ### Tech Leads
 
-- Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)), New York
-  University
-- Ash Narkar ([@ashutosh-narkar](https://github.com/ashutosh-narkar)), Styra
-- Andres Vega ([@anvega](https://github.com/anvega))
-- Ragashree Shekar ([@ragashreeshekar](https://github.com/ragashreeshekar)), Independent
-- Michael Lieberman ([@mlieberman85](https://github.com/mlieberman85)), Kusari
+| Name                  | Organization            | Handle              |
+|-----------------------|------------------------|---------------------|
+| Justin Cappos         | New York University    | @JustinCappos       |
+| Ash Narkar            | Styra                  | @ashutosh-narkar    |
+| Andrés Vega           | M42                    | @anvega             |
+| Ragashree Shekar      | Independent            | @ragashreeshekar    |
+| Michael Lieberman     | Kusari                 | @mlieberman85       |
+| John Kjell    | TestifySec                 | @jkjell       |
+
 
 ### Security TAG Chair Emeriti
 
-- Dan Shaw ([@dshaw](https://github.com/dshaw)),
-  PayPal [Chair term: 6/3/2019 - 9/3/2020]
-- Sarah Allen ([@ultrasaurus](https://github.com/ultrasaurus)), [Chair term:
-  6/3/2019 - 6/3/2021]
-- Jeyappragash JJ ([@pragashj](https://github.com/pragashj)),
-  Tetrate.io [Chair term: 6/3/2019 - 6/3/2021]
-- Emily Fox ([@TheFoxAtWork](https://github.com/TheFoxAtWork)),
-  Apple [Chair term: 9/28/2020 - 2/4/2022]
-- Brandon Lum ([@lumjjb](https://github.com/lumjjb)), Google [Chair term:
-  6/3/2021 - 6/3/2023]
-- Aradhana Chetal ([@achetal01](https://github.com/achetal01)), TIAA [Chair term: 6/3/2021 - 9/3/2023]
+| Name                  | Organization            | Term                | Handle    |
+|-----------------------|------------------------|---------------------|-----------|
+| Dan Shaw              | PayPal                 | June, 2019 - September, 2020 | @dshaw    |
+| Sarah Allen           |                        | June, 2019 - June, 2021 | @ultrasaurus |
+| Jeyappragash JJ       | Tetrate.io             | June, 2019 - June, 2021 | @pragashj |
+| Emily Fox             | Apple                  | September, 2020 - February, 2022 | @TheFoxAtWork |
+| Brandon Lum           | Google                 | June, 2021 - June, 2023 | @lumjjb   |
+| Aradhana Chetal       | TIAA                   | June, 2021 - September, 2023 | @achetal01 |
+| Andrew Martin         | ControlPlane           | March, 2022 - March, 2024 | @sublimino|
+
 
 ### On-going projects
 
@@ -175,7 +180,7 @@ the project and its risk profile.
 Facilitator: Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)),
 New York University
 
-Co-chair representatives: @sublimino @PushkarJ
+Co-chair representatives: @PushkarJ @eddie-knight
 
 #### Software Supply Chain Security
 

README.md

@@ -103,15 +103,9 @@ them
 
 - [Markdown](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)
 
-
-
 ## Use Cases & Personas
 
 List of use cases to enable secure access, policy control and safety for users
 of cloud native technology
 
 - [Markdown](https://github.com/cncf/tag-security/blob/main/usecase-personas/README.md)
-
-
-
-

PUBLICATIONS.md publications/README.md

@@ -60,7 +60,7 @@ This chapter goes over background concepts of fuzzing and gives a practical demo
 ## Fuzzing foundations
 Fuzzing is a program analysis technique closely connected to testing. In testing, a common practice is to execute code using a fixed input setting. In fuzzing, the testing is done using pseudo-random data as input to a target piece of code, meaning the target code is run over and over again with pseudo-random data as input. The goal of fuzzing is to discover if any arbitrary input can lead to a bug in the target code. For example, a simple way to fuzz a modern browser is to generate random files and then open each file in the browser with the goal of identifying potential patterns that can cause issues in the browser.
 
-The common set up when fuzzing a piece of software is to construct a fuzzing set up for the code and then run this fuzzer for an extended period of time, and monitor if any bugs occur in the target code during the process. The fuzzer can be run in many settings, including running it locally locally, as part of a CI/CD pipeline or part of a larger management framework for handling the running of fuzzers. The specific time run for the fuzzer ranges from a few minutes to hundreds or even thousands of hours.
+The common set up when fuzzing a piece of software is to construct a fuzzing set up for the code and then run this fuzzer for an extended period of time, and monitor if any bugs occur in the target code during the process. The fuzzer can be run in many settings, including running it locally, as part of a CI/CD pipeline or part of a larger management framework for handling the running of fuzzers. The specific time run for the fuzzer ranges from a few minutes to hundreds or even thousands of hours.
 
 The core technique of fuzzing is simple in that it executes target code indefinitely using pseudo-random input. However, fuzzing comes in many flavors and in this handbook we will be concerned with the concert of coverage-guided fuzzing. This is a technique that relies on monitoring the target code under to extract the specific code executed by a given input, and use this to improve generation of pseudo-random input to increase likelihood of generating new inputs that trigger unique code paths. Coverage-guided fuzzing has had a significant impact on fuzzing in the last 15 years and is the most common fuzzing technique used in modern software development.
 
@@ -102,14 +102,14 @@ In order to make the fuzzing work the developer compiles the fuzzing harness and
 #include <stdlib.h>
 
 int parseUntrustedBuffer(const uint8_t *buffer, size_t size) {
-        if (size < 2) {
-                return -1;
-        }
-        if (buffer[0] == 'A') {
-                if (buffer[1] == 'B') {
-                        assert(0);
-                }
+    if (size < 2) {
+        return -1;
+    }
+    if (buffer[0] == 'A') {
+        if (buffer[1] == 'B') {
+            assert(0);
         }
+    }
     return 0;
 }
 ```
@@ -124,7 +124,7 @@ The question in place for the fuzzer in this case is whether it will come up wit
 extern int parseUntrustedBuffer(const uint8_t *buffer, size_t size);
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-        parseUntrustedBuffer(data, size);
+    parseUntrustedBuffer(data, size);
     return 0;
 }
 ```
@@ -191,7 +191,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 }
 ```
 
-ompiling this and launching the fuzzer in a manner similar to Example 1 will result in the binary running forever. In each iteration of the fuzzer it will either print “Size 123” or “Not size 123”, however, by default it will never stop. This can seem counterintuitive at first, partly because it signals that there is no notion of “completeness” when fuzzing, as opposed to testing. This is correct in the sense there is no single truth value denoting if the fuzzing is complete or not, it is by nature an infinite while loop. To this end, a harness is generally run until either one of the conditions hold:
+Compiling this and launching the fuzzer in a manner similar to Example 1 will result in the binary running forever. In each iteration of the fuzzer it will either print “Size 123” or “Not size 123”, however, by default it will never stop. This can seem counterintuitive at first, partly because it signals that there is no notion of “completeness” when fuzzing, as opposed to testing. This is correct in the sense there is no single truth value denoting if the fuzzing is complete or not, it is by nature an infinite while loop. To this end, a harness is generally run until either one of the conditions hold:
 
 1. A timeout has been reached;
 2. The fuzzer found a bug and, therefore, exits.
@@ -356,7 +356,7 @@ The core task that we have to do in order to use LibFuzzer to fuzz a target appl
 #include <stdint.h>
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	/* Fuzz driver implementation */
+    /* Fuzz driver implementation */
 }
 ```
 
@@ -834,17 +834,17 @@ We can use the following fuzzer to attack this code:
 
 ```c
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size){
-	char *new_str = (char *)malloc(size+1);
-	if (new_str == NULL){
-		return 0;
-	}
-	memcpy(new_str, data, size);
-	new_str[size] = '\0';
-	
-	attack_me(new_str);
-	
-	free(new_str);
-	return 0;
+    char *new_str = (char *)malloc(size+1);
+    if (new_str == NULL){
+        return 0;
+    }
+    memcpy(new_str, data, size);
+    new_str[size] = '\0';
+    
+    attack_me(new_str);
+    
+    free(new_str);
+    return 0;
 }
 ```
 
@@ -1578,14 +1578,14 @@ The project has two fuzzers `fuzz_complex_parser.c:`
 #include "char_lib.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char *ns = malloc(size+1);
-  memcpy(ns, data, size);
-  ns[size] = '\0';
-  
-  count_lowercase_letters(ns);
-  
-  free(ns);
-  return 0;
+    char *ns = malloc(size+1);
+    memcpy(ns, data, size);
+    ns[size] = '\0';
+    
+    count_lowercase_letters(ns);
+    
+    free(ns);
+    return 0;
 }
 ```
 
@@ -1600,14 +1600,14 @@ and `fuzz_char_lib.c`
 #include "char_lib.h"
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char *ns = malloc(size+1);
-  memcpy(ns, data, size);
-  ns[size] = '\0';
-  
-  parse_complex_format(ns);
-  
-  free(ns);
-  return 0;
+    char *ns = malloc(size+1);
+    memcpy(ns, data, size);
+    ns[size] = '\0';
+    
+    parse_complex_format(ns);
+    
+    free(ns);
+    return 0;
 }
 ```
 

security-fuzzing-handbook/fuzzing-handbook.md

@@ -0,0 +1,24 @@
+<!-- cSpell:ignore warbeast -->
+
+# GitGot: using GitHub repositories as exfiltration store
+
+ReversingLabs identified two npm packages, "warbeast2000" and "kodiak2k" which
+were designed to steal SSH keys from developers by exploiting GitHub
+repositories _as storage_.
+
+## Impact
+
+> Fortunately, the reach of this campaign was limited. ReversingLabs observed
+> different accounts publishing warbeast2000 and kodiak2k on npm. The
+> warbeast2000 package was downloaded a little less than 400 times, whereas the
+> kodiak2k was downloaded around 950 times.
+
+## Type of compromise
+
+- **Trust and Signing**: This means that in addition to leveraging implicit
+trust on `github.com` for pulls, attackers were using Personal Access Tokens
+(PATs) to leverage that implicit trust for exfiltration.
+
+## References  
+
+- [ReversingLabs Blog](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data)

supply-chain-security/compromises/2024/gitgot.md

@@ -31,6 +31,7 @@ of compromise needs added, please include that as well.
 | Name              | Year               | Type of compromise    | Link        |
 | ----------------- | ------------------ | ------------------    | ----------- |
 | [xz backdoor incident](2024/xz.md) | 2024 | Malicious Maintainer | [1](https://cloudsecurityalliance.org/blog/2024/04/25/navigating-the-xz-utils-vulnerability-cve-2024-3094-a-comprehensive-guide) |
+| [GitGot: using GitHub repositories as exfiltration store](2024/gitgot.md) | 2024 | Trust and Signing | [1](https://www.reversinglabs.com/blog/gitgot-cybercriminals-using-github-to-store-stolen-data) |
 | [ManageEngine xmlsec dependency](2023/xmlsec-manageengine.md) | 2023 | Outdated Dependencies | [1](ttps://flashpoint.io/blog/manageengine-apache-santuario-cve-2022-47966) |
 | [Retool Spear Phishing](2023/retool-portal-mfa.md) | 2023 | Dev Tooling | [1](https://www.coindesk.com/business/2023/09/13/phishing-attack-on-cloud-provider-with-fortune-500-clients-led-to-15m-crypto-theft-from-fortress-trust/) |
 | [Fake Dependabot commits](2023/fake-dependabot.md) | 2023 | Source Code | [1](https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/) |

supply-chain-security/compromises/README.md

@@ -1,7 +1,47 @@
 deps:
-	rsync -av ../ content/ --include='assessments' --include='governance' --include='governance/related-groups' --include='supply-chain-security' --include='*.md' --exclude='*'
+	git submodule update --init --recursive # TODO: the hugo theme doesn't need to live in this directory
+
+	# Move select content from the root level into the website directory.
+	rsync -avv ../ root/ \
+	--include='assessments' --include='assessments/**' \
+	--include='governance' --include='governance/**' \
+	--include='publications' --include='publications/**' \
+	--include='*.md' --exclude='*'
+
+	# Move over content such as graphics and logos
 	rsync -av '../design/' 'static/design/' --exclude='#*'
-	git submodule update --init --recursive
+
+	# Update all imported markdown files to work as standalone hugo pages (except READMEs, see below)
+	# sed command is configured for the Netlify ubuntu env
+	find root -type f -name '*.md' | while IFS= read -r file; do \
+		base_name=$$(basename "$$file" .md); \
+		if [ "$$file" = "/_index.md" -o "$$base_name" = "README" ]; then \
+			continue; \
+		fi; \
+		text_to_prepend="---\ntitle: \"$$base_name\"\n---\n"; \
+		sed -i "1s/^/$$text_to_prepend/" "$$file"; \
+	done
+
+	# Set up Navbar and Sidebar contents
+	# Add top level dirs to the navbar
+	# Add all subdirectories to the sidebar
+	# If a README is in the dir, copy its contents to the front page for that dir
+	find root -type d -exec sh -c '\
+		base_title=$$(basename "$$1"); \
+		spaced_title=$$(echo "$$base_title" | sed "s/-/ /g" | tr "[:lower:]" "[:upper:]"); \
+		title=$$(echo "$$spaced_title" | awk "{for(i=1; i<=NF; i++) \$$i = toupper(substr(\$$i, 1, 1)) tolower(substr(\$$i, 2)); print}"); \
+		if [ $$1 = "root/$$base_title" ]; then \
+			echo "---\ntitle: $$title\nmenu:\n  main:\n    weight: 20\n---" > "$$1/_index.md"; \
+		else \
+			echo "---\ntitle: $$title\n---" > "$$1/_index.md"; \
+		fi; \
+		echo "{{< include-markdown \"$$1/README.md\" >}}" >> "$$1/_index.md"; \
+	' sh {} \;
+
+	# Move everything but README files over to content dir
+	# This excludes READMEs to avoid them being duplicated on the sidebar
+	# Exclude any _index files that need customized in the `website/` in this rsync to avoid autogen overwrite
+	rsync -avv --exclude='README.md' --exclude='/_index.md' root/ content/
 
 serve: deps
 	hugo server \
@@ -28,4 +68,10 @@ preview-build: deps
 		--buildDrafts \
 		--buildFuture \
 		--minify
-	npx -y pagefind --site public
+	npx -y pagefind --site public
+
+clean:
+	@git clean -f .
+	@rm -rf public resource
+	@find root/* -type f ! -name '*.gitkeep' -print0 | xargs -0 rm -v
+	@echo "Finished removing anything residual"

website/Makefile

@@ -1,6 +1,4 @@
 ---
 ---
-
-# Security Technical Advisory Group
-
-{{< include-markdown "content/README.md" "false" >}}
+<!-- markdownlint-disable-file MD041 -->
+{{< include-markdown "root/README.md" >}}