Skip to content

PRODSEC-4321: [supply-chain] Replace third-party URLs with Artifactory#2868

Merged
sfc-gh-turbaszek merged 4 commits into
mainfrom
jdrozdowicz/supply-chain/replace-third-party-urls
May 14, 2026
Merged

PRODSEC-4321: [supply-chain] Replace third-party URLs with Artifactory#2868
sfc-gh-turbaszek merged 4 commits into
mainfrom
jdrozdowicz/supply-chain/replace-third-party-urls

Conversation

@sfc-gh-jdrozdowicz
Copy link
Copy Markdown
Contributor

@sfc-gh-jdrozdowicz sfc-gh-jdrozdowicz commented May 12, 2026

Summary

Following the recent axios supply-chain attack, the Product Security Team is working to eliminate dependencies on third-party package sources and ensure all packages are downloaded through Snowflake Artifactory. This reduces the risk of compromised upstream packages reaching our build and runtime environments.

Changes

  • ci/build_docker.sh - replaced pip install URLs with Artifactory proxy
  • ci/docker/connector_build/Dockerfile - replaced pip index URL with Artifactory
  • ci/docker/connector_test/Dockerfile - replaced pip index URL with Artifactory
  • ci/docker/connector_test_fips/Dockerfile - replaced pip index URL with Artifactory
  • ci/docker/connector_test_rockylinux9/Dockerfile - replaced pip index URL with Artifactory
  • ci/test_darwin.sh - replaced pip install source with Artifactory
  • ci/test_docker.sh - replaced pip install source with Artifactory
  • ci/test_fips.sh - replaced direct PyPI/third-party URLs with Artifactory
  • ci/test_linux.sh - replaced direct PyPI/third-party URLs with Artifactory
  • ci/test_revocation.sh - replaced direct PyPI/third-party URLs with Artifactory
  • ci/test_rockylinux9.sh - replaced direct PyPI/third-party URLs with Artifactory
  • ci/test_rockylinux9_docker.sh - replaced pip install source with Artifactory
  • ci/test_wif.sh - replaced pip install source with Artifactory
  • ci/test_windows.bat - replaced pip install source with Artifactory
  • prober/Dockerfile - replaced pip index URL with Artifactory

Why

Pulling packages directly from public registries (PyPI, PyTorch, Go module proxy) bypasses our artifact scanning and caching layer. If an attacker compromises an upstream package - as happened with axios - the malicious version would be fetched directly into our environments. Routing through Artifactory gives us a controlled checkpoint for vulnerability scanning and version caching.

@sfc-gh-jdrozdowicz sfc-gh-jdrozdowicz requested a review from a team as a code owner May 12, 2026 11:40
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@sfc-gh-jdrozdowicz
Copy link
Copy Markdown
Contributor Author

sfc-gh-jdrozdowicz commented May 12, 2026

Hi! 👋

The Security Foundation team is replacing third-party URLs with Snowflake Artifactory according to our company's security policies. This change ensures all dependencies are fetched through our controlled proxy rather than directly from public registries.

@sfc-gh-turbaszek @sfc-gh-akolodziejczyk — could you please review this PR? If you were chosen incorrectly, please add the appropriate person for reviewing it.

If you have any questions regarding this PR, please reach out on Slack to Jowita Drozdowicz.

Thank you!

⚠️ Note: This PR was created by an AI agent as part of an automated supply-chain security remediation effort. While the changes have been validated for correctness, AI agents can make mistakes. If you notice any issues, please report them to Jowita Drozdowicz so we can improve the process.

sfc-gh-jdrozdowicz and others added 2 commits May 12, 2026 15:37
@sfc-gh-jdrozdowicz @cursoragent
[supply-chain] Revert Artifactory URLs for GitHub Actions compatibility
8833290 
Revert Artifactory URLs in Dockerfiles and CI scripts that are used by
GitHub Actions, where the internal Artifactory is unreachable. Restore
JENKINS_HOME conditional for wiremock downloads so Jenkins uses
Artifactory while GHA uses public Maven/GitHub URLs.

Files kept with Artifactory (Jenkins-only): test_darwin.sh,
test_windows.bat, prober/Dockerfile.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sfc-gh-jdrozdowicz @cursoragent
[supply-chain] Add changelog entry for Artifactory URL migration
c066fa8 
Add DESCRIPTION.md entry for the supply-chain URL replacement to
satisfy the check_change_log CI gate.

Co-authored-by: Cursor <cursoragent@cursor.com>
@sfc-gh-turbaszek sfc-gh-turbaszek enabled auto-merge (squash) May 14, 2026 13:21
@sfc-gh-turbaszek sfc-gh-turbaszek merged commit 52f175c into main May 14, 2026
47 of 49 checks passed
@sfc-gh-turbaszek sfc-gh-turbaszek deleted the jdrozdowicz/supply-chain/replace-third-party-urls branch May 14, 2026 13:27
@github-actions github-actions Bot locked and limited conversation to collaborators May 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@sfc-gh-turbaszek sfc-gh-turbaszek sfc-gh-turbaszek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sfc-gh-jdrozdowicz @sfc-gh-turbaszek