Kotlin library safety

Hi

I am learning Kotlin and I am wondering about how publicly available Kotlin libraries provided by Intellij, and how Java libraries provided by Oracle, are checked and managed (if at all) for safety. I am not talking about null safety; I am concerned about the type of issues found in Python packages which are generally considered to be unsafe (see are python packages safe? - Google Search ); is there a mechanism by which these libraries are managed to preclude the types of problems possible safetywise with Python Packages?

Thanks . . .

Phil

What do you consider safe? At the end of the day you are going to execute a piece of code you downloaded from the internet, in that regard it is no more safe than visiting google.com is.

Hi

There can obviously be different levels of perceived safety. What I am looking for is a level of safety that is backed by a process of checking and securing code before placing it in an official library. For example, is there a process of checking and securing libraries like those found at Collection - Kotlin Programming Language ? Or for plugins ?

Phil

Repositories like Maven support HTTPS and requires PGP signatures for artifacts. These are safety measures taken to ensure that code is only uploaded by the owners of the project and only downloaded from maven. There are no guarantees made on the contents of these artifacts.

The Jetbrains team could, theoretically, insert code into the standard library to steal users’ credit card information and there would be no process by Maven that would decline the malicious artifact. This is true for all major package managers across languages (python - pip, js - npm, C# - NuGet, rust - cargo, etc).

1 Like

Hi

Thank you very much for responding.

I have seen references on the internet that suggest that python no longer requires PGP signatures. In particular, the postings I have seen suggest to me that it is very dangerous to use python packages, without at first having gone over all of the code in the packages either yourself, or by someone you trust.

Going back to my original question, does IntelliJ (for Kotlin) and/or other vendors such as Oracle (for Java) have a process in place for packages/libraries they release? Or, from your perspective, how should an organization that works with sensitive data proceed with Kotlin, Java, C#, Rust, . . . libraries/packages?

Thanks . . .

Phil

For me it is not entirely clear what do you ask here. What kind of protections do you mean? What are treats you are taking into consideration? There is no single safe/unsafe or secure/not secure answer - it all depends on the context.

Most generic answer is that whenever you use any library or really any kind of third party software, you take a risk and you have to either trust its author; or trust that someone audited it before you; or audit it by yourself.

We can try to answer in details by discussing various treats:

  • Unsafe network - this should be generally fine as there is TLS in use.
  • Hacked repository of libs or intentional attack by the repository owners - I’m not 100% sure about this one, but I believe by default Gradle/Maven doesn’t protect against this. However, I suspect it could be possible to optionally add such protections as libraries in repos are signed by authors. I never tried the setup like this.
  • Intentional attack by the library owner - the only way to protect against this is to audit the library by yourself, verify hashes of libraries and while updating to another version, re-audit it. This is really much more than individual people and companies usually do. As said above, usually we either trust the owner or we don’t use the library at all.
  • Insider attack in the library owner - as you said, the company owning the library has to use some kind of a process for making changes and releasing libraries. There is no single standard for it, each company uses their own policies. I don’t know specifically about JetBrains, but I would guess smaller library authors don’t have any such process at all and for bigger projects like JetBrains libs, Apache, etc. there are probably code reviews. I have no idea if there are any additional protection measures than code review, I would suspect no, there aren’t.
  • Paranoid mode - you are never really safe, because every library you use, any transitive dependency of your direct dependencies, every compiler, Gradle and other dev tools - they all run in your computer. This is all based on who your company decides to trust and who to not trust.
1 Like

I can add that in the Kotlin ecosystem one usually used fixed dependency versions, so one needs only to check specific versions’ security, unlike JS. Maven central requires a digital signature of artifacts to avoid hijacking the library. It is not very useful in everyday life because checking the signature is tiresome. But for high-security risk applications, it could be done. Also, Maven checks the dependencies for known vulnerabilities and Idea reports those findings. Of course, it won’t help you with some less-known third-party library.

Hi

I am still not clear as to the process. So let’s look at one source of libraries, the kotlin libraries provided by IntelliJ. What is the process they use to check these libraries and make sure that they are safe? Also, do they have a mechanism to ensure that the libraries are not tampered with in the distribution process (though I guess that is what the signing is for but I do not understand that process).

Likewise for Java?

Thanks . . .

Phil

I’ll try reorganizing your question a bit:
Since MavenCentral is the primary public repository for hosting Maven artifacts, and since Kotlin, Java, Scala, and other JVM languages primarily use Maven artifacts, what security considerations are done for libraries published to MavenCentral?

I’d recommend Google’ing along those lines. There are restrictions and controls to published packages. For example, releases can’t be mutated after the fact unless they’re marked as a snapshot.

Anyone can host a Maven repository and put their own restrictions in place such as code scanning for others to use if they choose.
There are plenty of security controls and attacks around tampering with the supply chain of dependencies.

The security of the ecosystem has very little (if anything) to do with the language and everything to do with the packaging, repositories, and dependency management tools used.
You probably want to search for Maven artifact security and Gradle dependency security.

Thank you very much!

Phil