“The recent report by Trellix detailing the presence of a 15-year old unpatched path traversal vulnerability(CVE-2007-4559) in Python’s tarfile module, a library used to read and write tape archive (tar) files, potentially exposes over 350,000 open source repositories that utilise it within their projects. This is a reminder of the challenges faced with incorporating open-source code into software projects, especially those used within enterprise environments.
“While we are nearly a year into the fallout from the discovery of Log4Shell in the Log4j library, researchers continue to identify weaknesses across the supply chain, which underscores the continued need for more resources to assist in identifying and addressing vulnerabilities across some of the most common libraries and software used by organisations today.
“Initiatives like Supply chain Levels for Software Artifacts (SLSA) and Software Bill of Materials (SBOM) and projects such as Alpha-Omega under the Open Source Security Foundation are designed to bridge the security gap within the open source community, as many of the developers are often unpaid contributors who volunteer their time. There’s no single solution to address the issue of software supply chain security, but the proposals above present an opportunity to help make a meaningful difference. Reports like this one certainly won’t be the last, which is why the pursuit of the initiatives above is extremely critical.” — Satnam Narang, Sr. staff research engineer, Tenable