loading...

Checking your project dependencies for vulnerabilites

erikpischel profile image Erik Pischel Originally published at on-sw-integration.epischel.de on ・1 min read

In the light of the recent case of introducing malicious code through a popular JavaScript module on npm, I like to mention snyk.io .

In a simple, free of charge scenario, snyk.io scans build or dependencies files on your github or gitlab projects and periodically reports vulnerabilities. Snyk supports Node, Ruby, Java, Scala and Python projects.

If you pay for snyk.io, you get a lot more integrations, CLI and API access etc.

In my own trial I found that even for fairly recent spring boot and apache camel dependency tree there a dozen of high-rated vulnerabilities! (Many of them by using “com.fasterxml.jackson.core:jackson-databind@2.9.1”). So the next question is if it’s advisable to upgrade to a secure patch of – say – jackson-databind although I use it only indirectly – in other words: will the depended framework still work with the secure patch version?

An open-source alternative is OWASP-Dependency-Check. It scans Java and .Net dependencies, has experimental support for Python, Ruby, PHP (composer), and Node.js applications. The tool seems to be JVM-based. There is a SonarQube-plugin. I have not tried it myself.

Posted on by:

erikpischel profile

Erik Pischel

@erikpischel

Professional programming since 2000, mostly Enterprise Java backed web apps.

Discussion

markdown guide
 

I use the Gradle plugin of the OWASP dependency checker as part of the build process of a Java web application project. It works fine, but it can drastically slow down the build process when it downloads the latest exploit database updates. Nice to see that they also added support for Node.JS.

The biggest problem with it (and perhaps also snyk.io?) is that it doesn't perform any code analysis for unreported problems and malicious code. It appears it only checks package names and version numbers against the NVD database of known security vulnerabilities.

I wish there was something like a malware scanner out there for going through all dependencies and looking for red flags (e.g. code obfuscation, certain URLs, HTTP requests where there shouldn't be any etc.). I would even take the occasional false positive into account just to make sure no one mines bitcoins on my server or steals credit card data :-/