Skip to content

Commit

Permalink
Update docs/spec/draft/threats.md
Browse files Browse the repository at this point in the history 
Co-authored-by: Zachariah Cox <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
  • Loading branch information
@TomHennen @zachariahcox
TomHennen and zachariahcox authored Dec 5, 2024
1 parent cf6a622 commit e00c6c8
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions docs/spec/draft/threats.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -722,8 +722,7 @@ rejects because provenance is missing.

*Threat:* Replace a package and its VSA with a malicious package and its valid VSA.

*Mitigation*: Verifier checks that the `resourceUri` in the VSA matches the package
they've requested not just the package they received.
*Mitigation*: Consumer ensures that the VSA matches the package they've requested (not just the package they received) by following the [verification process](verification_summary#how-to-verify).

*Example:* Adversary uploads a malicious package to `repo/evil-package`,
getting a valid VSA for `repo/evil-package`. Adversary then replaces
Expand Down

0 comments on commit e00c6c8

Please sign in to comment.