Detecting Polyfill.io CDN references

I see there is an old thread but I thought I’d create a new one in light of yesterday’s discover of a supply chain attack. It would be good to be able to set a blacklist of CDN urls, so that we do not accidentally include links to cdn.polyfill.io or others.

1 Like

A post was split to a new topic: Is SonarQube affected by the polyfill.io CVE?

Thanks for raising this Dave!

I am tracking interest in this kind of rule, so your message helps!

Besides this specific case, what sort of CDN or other external links would be useful to detect for you?

I’d not really thought about it.

There is one minor irritation I have with my teams is when they use default URLs from Azure, such as azureedge.net, azurewebsites.net, etc.

Though it’s not a common accepted concern, I worry that it trains our uses to accept urls that could potentially phishing sites (even if they’re only used for loaded resources).

I’d rather they used our companies’ domain. e.g. cdn.company.com instead of cdn.azureedge.net

1 Like

Hello,
versions SonarQube - 10.2.1
SonarQube deployed: zip
Edition - Community
what are you trying to achieve - I would like to know if a sonar scan is prepared to find these malicious URL references: polyfill.io and polyfill.com in relation to the polyfill javascript library supply chain attack.

Please let me know if additional information is required.

One more - cdn.polyfill.io

Hi all,

We have a rule about using integrity checks on external scripts, this is effective in mitigating the risk of this kind of attack:

This is not specific to Polyfill.io, but should cover this case and help prevent any future supply chain attacks like this one.