|
|
|
|
|
|
by jl6
85 days ago
|
|
|
To be clear, this is a supply chain attack on everyone that uses Trivy, not a supply chain attack on Trivy. It was a direct attack on Trivy, exploiting components that Aqua had full control and responsibility for. The term “supply chain attack” has a connotation of “it’s not really my fault, it was my dependencies that got compromised”. Of course, every entity is ultimately accountable for its own security, including assigning a level of trust to any dependencies, so it’s ultimately no excuse, but getting hit by a supply chain attack does evoke a little more sympathy (“at least I did my bit right”), and I feel like the ambiguous wording of the title is trying to access some of that sympathy. |
|
|
In my experience that is definitely not true, and I've never heard anyone use it that way. Even though you are correct in who the target was.