content: Update mitigation section for the Dependency Confusion threat.

[meder]

Documenting a SLSA-native and build trackccentric mitigation for Dependency Confusion attacks (#1181)

Would love to hear thoughts/opinions on the best way to reflect differing levels of adoption / maturity in native provenance verification across different ecosystems.

[netlify]

✅ Deploy Preview for slsa ready!

Name	Link
🔨 Latest commit	a75a5fe
🔍 Latest deploy log	https://app.netlify.com/sites/slsa/deploys/6720633b886c7d00088fb107
😎 Deploy Preview	https://deploy-preview-1226--slsa.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[adriandiglio]

@meder we talked about this PR during the SLSA meeting on 11/11/2024. It is my opinion that this would fall in the Dependency Track, not the Build track. The OpenSSF S2C2F already has a requirement (ENF-1) to mitigate against Dependency Confusion attacks.

Per the meeting discussion, they said that we should admit that this is hard, and if there are blogs or articles about ways to mitigate against this, we should share them here. So I'm sharing some links below - but again - I think this belongs in the SLSA Dependency Track and we should wait to cover this there.

• https://azure.microsoft.com/mediahandler/files/resourcefiles/3-ways-to-mitigate-risk-using-private-package-feeds/3%20Ways%20to%20Mitigate%20Risk%20When%20Using%20Private%20Package%20Feeds%20-%20v1.0.pdf
• https://learn.microsoft.com/en-us/nuget/consume-packages/package-source-mapping
• https://github.blog/security/supply-chain-security/avoiding-npm-substitution-attacks/

[meder]

And here's a blogpost on the topic: Defender's Perspective: Dependency Confusion and Typosquatting Attacks.

[meder]

Hi all,

re: Dependency track: I think it can indeed make it easier to defend against dependency confusion and we can update this page with the new capabilities once that lands.

It might be worth agreeing on the purpose of the threats page. Given the current wording on the page I view its purpose as a place to highlight how current SLSA specification can help mitigate common supply chain threats at a high level. At its core dependency confusion is about the lack of verifiable provenance, hence the current wording suggested in this PR. Is this how others view the purpose of this page?

[zachariahcox]

this looks correct to me 👍

[TomHennen]

@arewm, @trishankatdatadog any objections to merging this? I think we have enough folks, and it's been sitting here for a bit.

I'll probably merge by EoY unless you say otherwise. :)

[TomHennen]

Er, I meant "end of week" not "end of year"...

We can always make further changes as needed.