OS level package analysis #1114
Description
This is a neat idea, but I'm wondering about a few possible areas of improvement:
- What about packages generated by popular open source projects?
- Integrations with existing OS package managers to check for flagged versions of python, ruby, etc scripts?
- Integrations with OS package cluster/build tools to do scans (for example during test runs/qat)
OS vendors have to frequently package up existing python, perl, ruby, rust crates, etc for dependencies on packages. However, they also build a lot of other things that aren't covered here. it would make sense for the package to never be built if it has known malware you've already identified. It would make sense for the package manager not to install the malware or at least warn the user it contains malware.
Some of these things detected will result in a CVE and eventually get caught by projects, but there's a delay.
For context, I run a small BSD project but I'm also thinking about all the k8s pods we use at work running debain/ubuntu/alpine packages.