package-analysis icon indicating copy to clipboard operation
package-analysis copied to clipboard
verified publisher icon ossf

Consolidate sandbox images and inject analyze script at runtime

Open calebbrown opened this issue 3 years ago • 1 comments

Packages downloaded from package repositories often depend on other ecosystems to function correctly (e.g. an NPM package uses PyPI).

So rather than having a separate sandbox image for each ecosystem we could instead have a single common image and just mount the analyze script into the image.

This enables some interesting other capabilities:

  • make the sandbox harder to evade by detecting the analyze script
  • allows different versions of linux, node, python, etc to be tested
  • makes the infrastructure more flexible for broader use-cases

calebbrown avatar Jun 23 '22 20:06 calebbrown

This needs some more thought.

One challenge is handling packages that depend on a specific version of Node, PHP, Python, etc.

Perhaps more decoupling between the sandboxes + dynamic analysis and the package repositories + analysis scripts makes sense though.

calebbrown avatar Jun 27 '22 22:06 calebbrown