SQ14136
Detected Windows executable files that are not built with file reproducibility.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
| None | pass | low | high | None | None |
About the issueโ
Reproducible builds allow programming language toolchains to deterministically produce binary artifacts on each run. They are used to verify artifact integrity by repeating the build process sequence on two or more isolated machines. Any discrepancies between these independently created outputs could indicate a software supply chain attack against the build infrastructure.
How to resolve the issueโ
- To be able to efficiently compare independent outputs, all your build artifacts should be reproducible. To configure the build process, refer to your programming language toolchain documentation.
- In Microsoft VisualStudio .NET, you can enable this feature by passing the option /deterministic to the linker.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Statistics are not collected for the SQ14136 policy at this time, or not applicable to this type of issue.
Recommended readingโ
- CICD-SEC-9: Improper Artifact Integrity Validation (External resource - OWASP)
- Supply chain attacks (External resource - Microsoft)