Open alestiago opened 3 months ago
We should never depend on vulnerable dependencies.
This is not clear to me. A vulnerability might not affect a given consumer of a package.
The scanner requires an existing pubspec.lock to exist, however the Dart team recommends to ignore comiting the pubspec.lock file for packages (What not to commit, Dart Documentation).
If you are making a package for others to consume, you cannot easily specify which version of your dependencies they will end up consuming - only what range of versions. It is up to them to avoid the vulnerabilities in their pubspec.lock. Committing a pubspec.lock file with the package would not help much.
A workaround if you want to not run CI with a dependency with a vulnerability, would be to have your github action detect "Dependencies are affected by security advisories" in the output from dart pub get
and fail if present.
@szakarias and @jonasfj might have more to say.
Hi @sigurdm thanks for the reply.
This is not clear to me. A vulnerability might not affect a given consumer of a package.
I was referring to the fact that I think that depending on a vulnerable version should be avoided at all costs. It is true that you can depend on a dependency that is tagged as vulnerable but not be vulnerable (for example, depending on vulnerable Archive version but not using symlinks), however I believe such practice is like walking on a tight rope because there is no automated mechanism in place that ensures you won't be using such vulnerable functionalities in the future.
If you are making a package for others to consume, you cannot easily specify which version of your dependencies they will end up consuming - only what range of versions. It is up to them to avoid the vulnerabilities in their pubspec.lock. Committing a pubspec.lock file with the package would not help much.
You're completely right. However, if I'm maintaining a package and I get dependencies I will not like to get a vulnerable version installed in my system. Instead, I would like to be made aware that I'm about to install a vulnerable dependency, and then decide if I want to abort or continue.
A workaround if you want to not run CI with a dependency with a vulnerability, would be to have your github action detect "Dependencies are affected by security advisories" in the output from dart pub get and fail if present.
That would be nice and it would move the tooling closer to the ideal solution (i.e. give me the option before installing a vulnerable version locally). However, I would rather not have to string match the output of the command but instead pass a flag to avoid it being fragile to changes in the output formatting for example.
Description
As a developer, I would like the
dart pub get
to fail when retrieving vulnerable versions unless I explicitly provide a flag to override it.Context
When a Dart package has a dependency on a vulnerable package (those with an an entry on the OSV database) the
dart pub get
command already reports the affected dependencies.For example:
The above succeeds, instead I would like it to fail and only succeed when providing a flag to override it if needed (for example,
--accept-vulnerabilities
).Use-cases
Most Dart developers are already running
dart pub get
on their CIs, if the CI fails on thedart pub get
stage due to a vulnerability it will block them until it gets resolved, hence avoiding vulnerabilities to creep in. Most developers only check if their CI is passing or not, hence they might completely miss the message.In addition, this also accommodates for the limitations the OSV Scanner has, these are:
pubspec.lock
to exist, however the Dart team recommends to ignore comiting thepubspec.lock
file for packages (What not to commit, Dart Documentation).Dart can also install executables to be run locally as a CLI (for example, with:
dart pub global activate
). When activating the executable the dependencies are fetched. If getting dependencies fails it would protect the user from having vulnerabilities. Only if the user explicitly wants to by-pass and accept the consequences of having a vulnerability the local CLI should be installed (a similar experience to what the browser does when trying to access a non-secure website).We should never depend on vulnerable dependencies. Making the
get
fail by default would raise awareness that Dart dependencies can also be vulnerable and the community will soon know which are those and how to prevent new vulnerabilities.P.S.: If the feature is not possible for whatever reason, having a flag (for example,
--no-vulnerabilities
) that could be provided to fail when vulnerable dependencies are detected could be considered instead.