SQ14136
Detected Windows executable files that are not built with file reproducibility.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
| None | pass | low | high | None | None |
About the issueโ
Reproducible builds allow programming language toolchains to deterministically produce binary artifacts on each run. They are used to verify artifact integrity by repeating the build process sequence on two or more isolated machines. Any discrepancies between these independently created outputs could indicate a software supply chain attack against the build infrastructure.
How to resolve the issueโ
- To be able to efficiently compare independent outputs, all your build artifacts should be reproducible. To configure the build process, refer to your programming language toolchain documentation.
- In Microsoft VisualStudio .NET, you can enable this feature by passing the option /deterministic to the linker.
Incidence statisticsโ
Not relevant for this type of issue.
Recommended readingโ
- CICD-SEC-9: Improper Artifact Integrity Validation (External resource - OWASP)
- Supply chain attacks (External resource - Microsoft)