The project should not have generated executable (binary) artifacts in the source repository.

ID

esf_s3c_dev/binary_artifacts

Severity

critical

Category

Levels

Optional

false

Tags

security, supply-chain

Description

The project should not have generated executable (binary) artifacts in the source repository, only the source code should be integrated into the build environment.

Reference: ESF - Securing the Software Supply Chain - Recommended practices for Developers - 2.3.2 Selection and Integration

Rationale

Including generated executables in the source repository increases user risk. Many programming language systems can generate executables from source code (e.g., C/C++ generated machine code, Java .class files, Python .pyc files, and minified JavaScript). Users will often directly use executables if they are included in the source repository, leading to many dangerous behaviors.

Problems with generated executable (binary) artifacts:

  • Binary artifacts cannot be reviewed, allowing possible obsolete or maliciously subverted executables. Reviews generally review source code, not executables, since it’s difficult to audit executables to ensure that they correspond to the source code. Over time the included executables might not correspond to the source code.

  • Generated executables allow the executable generation process to atrophy, which can lead to an inability to create working executables. These problems can be countered with verified reproducible builds, but it seems easier to implement verified reproducible builds when executables are not included in the source repository (since the executable generation process is less likely to have atrophied).

Verification

The check is reported when there is a single binary executable file in the source repository for the project.

Remediation

  • Remove the generated executable artifacts from the repository.

  • Build from source.