If it’s not you it’s them! It doesn’t mater how safe your code is if you let someone else’s bad code in. So to be completely safe don’t use external code at all, right? But that isn’t very practical. So how do you keep track of the open source you use and make sure it doesn’t have any (known) security flaws?
There is a number of resources to use where you can find out if a dependency has any know security issues:
CVE - Common Vulnerabilities and Exposures: A free and open database sponsored by different organizations within the United States Department of Homeland Security to contain known vulnerabilities.
NVD - National Vulnerability Database: A superset for the CVE database, adding more metadata and search engine.
Sonatype OSS Index: Free service hosted and developed by a product company based on sources like CVE and NVD.
retire.js: Not jet an other java script framework but a scanner to detect once with vulnerabilities.
You can of course manually search in those resources but it isn’t effective so let’s find some tools. Since the sources are free and have open API:s there a great deal of tools. I wanna share three good once (that are also free) with you:
(edit: some issues for VS2019) Audit.Net: Extension for Visual Studio targeting NuGet packages. I think this is a good way to get started and initially fixing your solution and if you don’t have a build pipeline I would like to say that it’s the way to go since it will be there all the time and you will not forget about it. Unless you disable the extension…
OWASP Dependency Check: Command Line tool; that scans a folder for project dependencies. Can also be used as a plugin for several build engines like Jenkins. This method gets a lot of false positive as well as false negatives so be sure to double check those matches.
WhiteSource Bolt: GitHub App and Azure DevOps Extension (as well as TFS). This may be the best option for you since you can make a scan run every time some one adds something (done a push).
Do you use any other tools for this that you like? Send me a tweet and tell me about it.
There is no guarantee that all security issues has been reported and therefore an other preventive measure to eliminate the risk is removing unused dependencies, lower the amount you use and also stay updated with those versions.