DEV Community

Cover image for NodeSecure Vuln-era
Thomas.G for NodeSecure

Posted on • Edited on

NodeSecure Vuln-era

😍 Logo and cover by our beloved medhi bouchard ❀️

Hello πŸ‘‹,

Back for a little article about the rebranding of one of the NodeSecure tools: Vulnera (previously vuln, the vuln-era has begun!).

An opportunity for me to also write about this wonderful project that was born with the redesign of the back-end less than a year ago ⌚. If you don't remember I wrote an article:

Don't wait and dive in 🌊 with me to discover this tool πŸ’ƒ.

What is Vulnera ? πŸ‘€

Vulnera is a package that allows you to programmatically fetch your Node.js project vulnerabilities from multiple sources or strategies:

πŸ“’ Feel free to push new sources (we have a guide on how to add/contribute one).

The code was originally designed for vulnerability management within the Scanner. Yet, its API is evolving with the objective of making it a full-fledged project.

import * as vulnera from "@nodesecure/vulnera";

const def = await vulnera.setStrategy(
  vulnera.strategies.NPM_AUDIT
);

const vulnerabilities = await def.getVulnerabilities(process.cwd(), {
  useStandardFormat: true
});
console.log(vulnerabilities);
Enter fullscreen mode Exit fullscreen mode

Standard vulnerability format πŸ‘―

We have created a standard format to reconcile the different sources.

export interface StandardVulnerability {
  /** Unique identifier for the vulnerability **/
  id?: string;
  /** Vulnerability origin, either Snyk, NPM or NodeSWG **/
  origin: Origin;
  /** Package associated with the vulnerability **/
  package: string;
  /** Vulnerability title **/
  title: string;
  /** Vulnerability description **/
  description?: string;
  /** Vulnerability link references on origin's website **/
  url?: string;
  /** Vulnerability severity levels given the strategy **/
  severity?: Severity;
  /** Common Vulnerabilities and Exposures dictionary */
  cves?: string[];
  /** Common Vulnerability Scoring System (CVSS) **/
  cvssVector?: string;
  /** CVSS Score **/
  cvssScore?: number;
  /** The range of vulnerable versions */
  vulnerableRanges: string[];
  /** The set of versions that are vulnerable **/
  vulnerableVersions: string[];
  /** The set of versions that are patched **/
  patchedVersions?: string;
  /** Overview of available patches **/
  patches?: Patch[];
}
Enter fullscreen mode Exit fullscreen mode

You can always use the original formats of each source of course 😊. We have implemented and exposed TypeScript interfaces for each of them.

NodeSecure types

Usage in Scanner πŸ”¬

On the scanner we have all the necessary information because we go through the dependency tree πŸŽ„. At the end of the process, we recover all vulnerabilities by iterating spec by spec within the hydratePayloadDependencies strategy method.

const {
  hydratePayloadDependencies,
  strategy
} = await vulnera.setStrategy(
  userStrategyName // SNYK for example
);
await hydratePayloadDependencies(dependencies, {
  useStandardFormat: true,
  path: location
});

payload.vulnerabilityStrategy = strategy;
Enter fullscreen mode Exit fullscreen mode

The following diagram explains the overall behavior and interactions between the Scanner and Vulnera.
NodeSecure

If you want to learn more about the Payload you can check the TypeScript interface here.

What's next ? πŸš€

Some sources are more difficult to exploit than others (for NPM we use Arborist which simplifies our lives).

const { vulnerabilities } = (await arborist.audit()).toJSON();
Enter fullscreen mode Exit fullscreen mode

However, we have to think and create mechanics to exploit sources like Sonatype 😨. This is required for API like getVulnerabilities().

Among the major subjects and ideas we are working on:

  • Create a private database to benchmark the sources between them (see #29).
  • Merging multiple sources in one (see #25).
  • Fetch vulnerabilities of a given remote package (with support for private registry like verdaccio). At the moment we only support the analysis of a local manifest or a payload of the scanner.

Credits πŸ™‡

This project owes much to our core collaborator Antoine COULON who invested a lot of energy to improve it πŸ’ͺ.

Fun fact: its first contribution 🐀 on NodeSecure was also on the old version of the code Scanner that managed vulnerabilities.

But I don't forget individual contributions πŸ‘


GitHub logo NodeSecure / vulnera

Programmatically fetch security vulnerabilities with one or many strategies (NPM Audit, Sonatype, Snyk, Node.js DB).

vulnera

npm version license ossf scorecard github ci workflow

The vuln-era has begun! Programmatically fetch security vulnerabilities with one or many strategies. Originally designed to run and analyze Scanner dependencies it now also runs independently from an npm Manifest.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/vulnera
# or
$ yarn add @nodesecure/vulnera
Enter fullscreen mode Exit fullscreen mode

Usage example

import * as vulnera from "@nodesecure/vulnera";

await vulnera.setStrategy(
  vulnera.strategies.GITHUB_ADVISORY
);

const definition = await vulnera.getStrategy();
console.log(definition.strategy);

const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {
  useStandardFormat: true
});
console.log(vulnerabilities);
Enter fullscreen mode Exit fullscreen mode

Available strategy

The default strategy is NONE which mean no strategy at all (we execute…




Thanks πŸ™ for reading me and see you soon for another article!

Top comments (0)