Chainguard Libraries FAQ

What security issues can Chainguard Libraries prevent?

As detailed in the background and introduction, Chainguard Libraries are built directly from source in the Chainguard Factory and the resulting binaries are directly provided to you by Chainguard. Chainguard operates the whole supply chain for the package lifecycle as one reliable, secure partner. You can therefore avoid issues from the following software supply chain attack surface points:

• Build pipeline
• Build system
• Dependency injection
• Bypass of CI/CD systems
• Library distribution
• Library consumption

More information about the supply chain stages is available on the Supply chain Levels for Software Artifacts (SLSA) website.

The following examples are issues, attacks, and compromises that affect stages of the software supply chain for libraries across different language ecosystems:

Ultralytics Python project

• Attackers compromised Ultralytics’ GitHub Actions workflow, injecting malware into PyPI package releases.
• Malicious versions proliferated (8.3.41, 8.3.42, 8.3.45, 8.3.46).
• Affected a widely-used AI library with ~60 million downloads that included a cryptominer.
• No source code was included: the use of Chainguard Libraries, based on source code, would therefore have prevented the attack.
• See also PyPI attack analysis and bleepingcomputer blog post.

Lottie Player

• Hackers gained access to the NPM registry by compromising a developer authentication token.
• Token used to upload a compromised version of Lottie Player.
• The malicious package would drain crypto wallet funds.
• No source code was included: the use of Chainguard Libraries, based on source code, would have prevented the attack.
• See also npm package Lottie-Player compromised in supply chain attack, Nov 2024.

MavenGate

• MavenGate is a proof of concept for exploiting abandoned Java library domains.
• Vulnerabilities in Maven dependency management allow unauthorized package replacements.
• All Java build tools using Maven repositories, including Maven, Gradle, and Ant, could be affected.
• See also The Hacker News article, Oversecured blog post, and Sonatype’s take as Maven Central operator.

XZ Utils backdoor

• Example of a supply chain issue with social engineering for maintainer rights
• Very complex backdoor that consists of multiple stages with potential to be very widespread and effective.
• Vulnerability was patched within hours of disclosure by reverting to a previous version known to be safe.
• See also Wikipedia article and official page from the XZ data compression.

Other examples and resources

• Successful supply chain attack on Solana JS library
• PyPI packages without source
• Compromised PyTorch nightly
• Commercial artifacts with RCE vulnerability and without source on PyPI, Aug 2024
• Thwarted attempts to flood npm registry
• PyPI Python library “aiocpa” found exfiltrating crypto keys via Telegram bot, Nov 2024
• Supply chain attack detected in Solana’s web3.js library. Dec 2024
• PyTorch namespace (dependency) confusion attack
• Typo squatting attempt to gain credentials
• Typo squatting attempts on Maven Central
• tj-actions GitHub action issue as example of build infrastructure supply chain compromise

Find pointers to further resources in the Software supply chain reading list.

Does Chainguard Libraries for Java include CVE remediation fixes?

Short answer:

No. Libraries are built from source code in the secured and hardened Chainguard infrastructure. This eliminates any build and distribution stage vulnerabilities.

More details:

Chainguard cannot patch Java libraries and create binaries with the same identifier because the complete behavior and API surface of every library affects the use. That use however is part of the application development of each customer. It varies widely and any change potentially creates incompatibilities, different behavior or even new security issues.

Chainguard collaborates with many upstream projects and can collaborate with customers to increase and accelerate the creation and adoption of fixes and the work towards new releases.

Importantly, over 95% of all known vulnerable components have a fixed version available and, by adopting those newer versions in your application, you can remediate most CVEs. Chainguard Libraries for Java includes those newest versions and adds the build and distribution channel security.

What are Chibbies?

Chibbies is the internal codename for the Chainguard Libraries. It evolved from Chainguard Libraries being shortened to Chainguard Libbies, and then finally to Chibbies.