DEV Community

Erik Pischel
Erik Pischel

Posted on • Originally published at on-sw-integration.epischel.de on

10 5

Checking your project dependencies for vulnerabilites

#security #java #javascript #npm

In the light of the recent case of introducing malicious code through a popular JavaScript module on npm, I like to mention snyk.io .

In a simple, free of charge scenario, snyk.io scans build or dependencies files on your github or gitlab projects and periodically reports vulnerabilities. Snyk supports Node, Ruby, Java, Scala and Python projects.

If you pay for snyk.io, you get a lot more integrations, CLI and API access etc.

In my own trial I found that even for fairly recent spring boot and apache camel dependency tree there a dozen of high-rated vulnerabilities! (Many of them by using “com.fasterxml.jackson.core:jackson-databind@2.9.1”). So the next question is if it’s advisable to upgrade to a secure patch of – say – jackson-databind although I use it only indirectly – in other words: will the depended framework still work with the secure patch version?

An open-source alternative is OWASP-Dependency-Check. It scans Java and .Net dependencies, has experimental support for Python, Ruby, PHP (composer), and Node.js applications. The tool seems to be JVM-based. There is a SonarQube-plugin. I have not tried it myself.

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (1)

Collapse
 
tiguchi profile image
Thomas Werner • Edited

I use the Gradle plugin of the OWASP dependency checker as part of the build process of a Java web application project. It works fine, but it can drastically slow down the build process when it downloads the latest exploit database updates. Nice to see that they also added support for Node.JS.

The biggest problem with it (and perhaps also snyk.io?) is that it doesn't perform any code analysis for unreported problems and malicious code. It appears it only checks package names and version numbers against the NVD database of known security vulnerabilities.

I wish there was something like a malware scanner out there for going through all dependencies and looking for red flags (e.g. code obfuscation, certain URLs, HTTP requests where there shouldn't be any etc.). I would even take the occasional false positive into account just to make sure no one mines bitcoins on my server or steals credit card data :-/

profile
Pieces.app
 Promoted

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

Read next

ahmedjaad profile image

Servlet: The Foundation of Java Web Technology

Ahmed Jaad -

viksingh profile image

The Best Way to Optimize Garbage Collection for Java Applications

Vikas Singh -

cicubeteam profile image

Docker Swarm vs Kubernetes - A Deep Technical Analysis

CiCube -

random_ti profile image

React 19 is now stable ! What’s New 👇

Random -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay