DEV Community

Erik Pischel
Erik Pischel

Posted on • Originally published at on-sw-integration.epischel.de on

Checking your project dependencies for vulnerabilites

In the light of the recent case of introducing malicious code through a popular JavaScript module on npm, I like to mention snyk.io .

In a simple, free of charge scenario, snyk.io scans build or dependencies files on your github or gitlab projects and periodically reports vulnerabilities. Snyk supports Node, Ruby, Java, Scala and Python projects.

If you pay for snyk.io, you get a lot more integrations, CLI and API access etc.

In my own trial I found that even for fairly recent spring boot and apache camel dependency tree there a dozen of high-rated vulnerabilities! (Many of them by using “com.fasterxml.jackson.core:jackson-databind@2.9.1”). So the next question is if it’s advisable to upgrade to a secure patch of – say – jackson-databind although I use it only indirectly – in other words: will the depended framework still work with the secure patch version?

An open-source alternative is OWASP-Dependency-Check. It scans Java and .Net dependencies, has experimental support for Python, Ruby, PHP (composer), and Node.js applications. The tool seems to be JVM-based. There is a SonarQube-plugin. I have not tried it myself.

Top comments (1)

Collapse
 
tiguchi profile image
Thomas Werner • Edited

I use the Gradle plugin of the OWASP dependency checker as part of the build process of a Java web application project. It works fine, but it can drastically slow down the build process when it downloads the latest exploit database updates. Nice to see that they also added support for Node.JS.

The biggest problem with it (and perhaps also snyk.io?) is that it doesn't perform any code analysis for unreported problems and malicious code. It appears it only checks package names and version numbers against the NVD database of known security vulnerabilities.

I wish there was something like a malware scanner out there for going through all dependencies and looking for red flags (e.g. code obfuscation, certain URLs, HTTP requests where there shouldn't be any etc.). I would even take the occasional false positive into account just to make sure no one mines bitcoins on my server or steals credit card data :-/