search

vish02chouhan / security-strategy-essentials

https://lab.github.com/githubtraining/security-strategy-essentials
MIT License
0 stars 0 forks source link

Find repository vulnerabilities #3

Closed github-learning-lab[bot] closed 3 years ago

github-learning-lab[bot] commented 3 years ago

Finding vulnerable dependencies

Security vulnerabilities can cause a range of problems for your project or the people who use it. A vulnerability could affect the confidentiality, integrity, or availability of a project. Sometimes vulnerabilities aren't in the code you write, but in the code your project depends on. Staying up-to-date with the most recent versions is the best line of defense, but has the potential to cause integration issues, so GitHub alerts you of the safest next-version of a dependency.

This repository has some existing dependencies which will need updating to stay secure.

How can we identify dependencies and if they are vulnerable?
This repository is a Node.js project utilizing NPM. Because of that, [`package.json`](https://github.com/vish02chouhan/security-strategy-essentials/blob/main/package.json) defines this repository's dependencies. For our time together, we'll be focusing on these JavaScript dependencies. Keep in mind that different programming languages may have different dependency manifests. You might work with a `Gemfile`, `Gemfile.lock`, `*.gemspec`, `requirements.txt`, `pipfile.lock`, or other files. How can we know these dependencies are secure? GitHub monitors a number of reputable [data sources](https://docs.github.com/en/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies#detection-of-vulnerable-dependencies) to track vulnerabilities across projects.

GitHub's security alerts for vulnerable dependencies

You may notice some alerts from GitHub about this repository. You may get an email, or see a yellow bar warning you about the package.json file.

dependency vulnerability alert

GitHub tracks vulnerabilities for a number of supported languages and their associated package ecosystems, including RubyGems, NPM, Python PIP, Maven, and .NET.

GitHub receives a notification of a newly-announced vulnerability. Next, we check for repositories that use the affected version of that dependency. We send security alerts to a set of people within those affected repositories. The owners are contacted by default and it's possible to configure specific teams or individuals to get these important notifications.

GitHub never publicly discloses identified vulnerabilities for any repository.

Step 2: Find this repository's vulnerable dependencies

Use Dependabot alerts to identify a vulnerable NPM dependency.

:keyboard: Activity: Identify the suggested version update

  1. Click the Security tab in your repository.
  2. On the left hand navigation bar, click Dependabot alerts.
  3. Follow the instructions to enable Dependabot alerts, if they're not already enabled.
  4. Click on the debug alert.
  5. Take note of the suggested version.
  6. Comment in this issue with the suggested update version.

GitHub Enterprise Server only: This is all possible on GitHub Enterprise through GitHub Connect. It may take up to an hour to refresh the alerts and make them visible. After waiting a reasonable amount of time, if you are still not seeing the yellow bar in the Dependency Graph, you may want to contact your administrator. In the mean time, to move along with the course, we'll give you a hint - the recommended upgraded version is 2.6.9.

Return to this issue for my next comment.

vish02chouhan commented 3 years ago

Vulnerable versions: < 2.6.9 Patched version: 2.6.9 Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

github-learning-lab[bot] commented 3 years ago

Nice work!

I've opened a pull request with your next steps.