and setup • WP3: Retesting of issues spotted in June 2020. To enable swift progress and expected coverage of the ‘delta’, Cure53 could leverage access to sources, which are available on GitHub as OSS. In Frequent status updates were issued by the testers to Dapr. The Cure53 team managed to get very good coverage over the WP1-3 scope items and spotted only one new finding classified as a security vulnerability vulnerabilities that were identified as part of the initial code audit carried out in July 2020. From the analysis of the provided source code repository and setup, it is evident that several vulnerabilities have

Dr.-Ing. M. Heiderich, M. Wege, MSc. R. Peraglie, J. Larsson Index Introduction Scope Test Coverage Identified Vulnerabilities DAP-01-002 WP2: Insufficient context separation leads to RCE (High) clarified the threat model and precisely communicated their expectations in terms of coverage, pointing Cure53 to certain research avenues for exploration. Information on useful tests and setup and communications, Cure53 managed to carry out substantial research and acquired a very good coverage over the scope. Cure53 managed to identify twelve security-relevant issues affecting the Dapr complex

Provenance generation Provenance Exists ⛔ ⛔ ⛔ Provenance is Authentic ⛔ ⛔ 8 https://sysdig.com/blog/analysis-of-supply-chain-attacks-through-public-docker-images/ 43 Dapr security audit 2023 Provenance library addon libraries (golang.org/x/…). This data has been generated by way of Class Hierarchy Analysis. A dependency can become malicious from a code change by either a contributor or a maintainer.

efforts of CNCF have focused on enabling continuous fuzzing of projects to ensure continued security analysis, which is done by way of the open source fuzzing project OSS-Fuzz1. CNCF continues work in this