search

nasa / openmct

A web based mission control framework.
https://nasa.github.io/openmct/
Other
12.05k stars 1.25k forks source link

[Build] Incorporate dependency analysis #1130

Closed VWoeltjen closed 8 years ago

VWoeltjen commented 8 years ago

Incorporate a dependency analysis tool into the build process that will trigger a build failure if any dependencies with known vulnerabilities are present.

larkin commented 8 years ago

@VWoeltjen interesting, would this call an external service for lookup? That could be a problem in some of the build environments. It would be great to do this with CircleCI for our official build process but not make it part of the build process if you checked it out for local development.

VWoeltjen commented 8 years ago

Good point, I will structure the gulp tasks to make this one avoidable.

It's been a month or two since I've looked at these tools, but I believe that most/all of them do use some external database to stay up to date on vulnerabilities. I'll keep an eye out to see if any support off-line usage (e.g. by using cached info when service is unavailable.)

VWoeltjen commented 8 years ago

Running as part of the "verify" task, which includes tests, linting, etc. npm install runs the gulp install task, which in turn does not run verify, so this is skipped for normal local installs.

Considered two tools (nsp and snyk); not aware of other options out there, even after some web searching. Both take fairly similar approaches to the problem, and their vulnerability lists look extremely similar (at least for recent updates), so this came down to gulp integration; NSP has a gulp plugin, Snyk would need to be wired into the gulp build manually, so since all else appears equal, going with NSP.

larkin commented 8 years ago

This won't protect us against installing a malicious package and compromising our development machines, but it will protect us from someone exploiting a weakness in the development server, which is intended as a development server and not intended for production usage.

It's a fun tool, though I think it's more likely to give us the illusion of security than anything else. We aren't truly a node application, we use node only for build and tooling. But that said, it is very slightly helpful so long as it doesn't get in our way.

srowhani commented 8 years ago

Something like code climate with https://github.com/nodesecurity/nsp can help automate the process. Something like greenkeeper can be used to test if a newer version of a dep will break the build.

akhenry commented 8 years ago

There's also retire.js that as well as parsing package.json can be pointed at arbitrary source code directories. Pointing it at bower_components yielded:

$ retire --jspath bower_components
Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json
Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json
/Users/melanielean/Documents/Code/openmctweb/bower_components/angular/angular.js
 ↳ angularjs 1.4.4 has known vulnerabilities: severity: low; summary: server-side xss can bypass CSP; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: UI Redress Attack Through Improper Sanitization of SVG Elements; https://srcclr.com/security/ui-redress-attack-through-improper/javascript/s-2252 severity: medium; summary: Arbitrary Code Execution Through SVG Animation Functionality; https://srcclr.com/security/arbitrary-code-execution-through-svg/javascript/s-2253 severity: medium; summary: Arbitrary Code Execution Through access to constructors; https://github.com/angular/angular.js/issues/14939 https://srcclr.com/security/arbitrary-code-execution-via-constructor-access/javascript/sid-2589/summary
/Users/melanielean/Documents/Code/openmctweb/bower_components/angular/angular.min.js
 ↳ angularjs 1.4.4 has known vulnerabilities: severity: low; summary: server-side xss can bypass CSP; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: UI Redress Attack Through Improper Sanitization of SVG Elements; https://srcclr.com/security/ui-redress-attack-through-improper/javascript/s-2252 severity: medium; summary: Arbitrary Code Execution Through SVG Animation Functionality; https://srcclr.com/security/arbitrary-code-execution-through-svg/javascript/s-2253 severity: medium; summary: Arbitrary Code Execution Through access to constructors; https://github.com/angular/angular.js/issues/14939 https://srcclr.com/security/arbitrary-code-execution-via-constructor-access/javascript/sid-2589/summary
/Users/melanielean/Documents/Code/openmctweb/bower_components/angular-route/angular-route.min.js
 ↳ angularjs 1.4.4 has known vulnerabilities: severity: low; summary: server-side xss can bypass CSP; https://github.com/angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: UI Redress Attack Through Improper Sanitization of SVG Elements; https://srcclr.com/security/ui-redress-attack-through-improper/javascript/s-2252 severity: medium; summary: Arbitrary Code Execution Through SVG Animation Functionality; https://srcclr.com/security/arbitrary-code-execution-through-svg/javascript/s-2253 severity: medium; summary: Arbitrary Code Execution Through access to constructors; https://github.com/angular/angular.js/issues/14939 https://srcclr.com/security/arbitrary-code-execution-via-constructor-access/javascript/sid-2589/summary