Need

Ensuring verifiability of files in the repository

Context

• Usage of JavaScript for developing modern web applications
• The repository stores files that cannot be verified because their content is not compatible with their extension
• The repository stores files that cannot be verified because their content is opaque and difficult to inspect.

Description

Non compliant code

        /my-project
  │── /static/
    jquery.min.js
    MyProgram.class
    maven.wrapper.jar
  │── /src/
    main.js
    index.html
        
        

In this example, we have a repository with an "static/" directory in which we have files that cannot be verified by scanners because the content is obfuscated or does not correspond to its extension.

Steps

• Validate the file extension before saving it to the repository
• Filter out files that cannot be verified by scanners

Compliant code

        /my-project
  │── .gitignore
    static/.*.min.js
    static/.*.class
    static/.*.jar
  │── /src/
    main.js
    index.html
  │── /static/
    jquery.min.js
    MyProgram.class
    maven.wrapper.jar
        
        

In this case, uncheckable files were ignored in the .gitignore file to prevent them from being uploaded to the repository.

References

• 117. Unverifiable files