Automatic check for dependencies' vulnerabilities in Node.js CI #802
Comments
I think that would be a good thing -- it's easier to comment on an implementation. |
|
How would you know what are false positives to put in the ignore list? (referring to step 5 in your outlined strategy). |
|
Work on increasing security awareness, education and tooling for developers is welcome and blessed but I wonder if you're just building more tools that are duplicate of existing, and would potentially worsen the experience for developers? Trying to say: how is this different than |
It really is a judgement call that needs to be done case-by-case. For example: the script currently reports that Node's
That's a good point. The main difference is that We could even add the The main idea is to have a single command which the user (or CI) can run to check for vulnerabilities. As things stand right now, running |
|
Appreciate the elaborate answer and reference. With regards to the Node.js runtime version. Checking that in CI means what exactly though...? it seems out of context because as a team I may have 5 microservices I'm building, all of which are running different versions of the Node.js runtime. Moreover, in some scenarios you also don't just install Node.js from source, but rather use the distro's own package manager, and they sort out patches with their own security advisories, so you'd need to work with some tool like Snyk container scanning to find those. Maybe I have everything I need with Snyk (dependency scanning, container scanning for OS libraries as well as runtime) so I'm not entirely sure I see benefits with this effort. I also still maintain the perspective that I think you might worsen the overall security by not correctly triaging vulnerabilities and allowing for false positives, or true negatives (NVD and npm audit miss quite a bunch of vulnerabilities). Not to mention that it sounds like you'd need to maintain this "true state" vulnerability database yourself if you don't trust upstream NVD and alike. Disclaimer: I'm a developer advocate at Snyk. |
|
And shouldn't the security tab + GHA already alert maintainers (most reports are not public)? I think most findings would have to and will be manually checked ("are we affected or is it mitigated by design?"). |
|
Hi @facutuesca! Thanks a lot for reaching us and sharing your concerns and proposing a solution. 🙂 As the discussion is getting more active, I want to add some personal conclusions. In general, it is very easy for any developer to check how the project dependencies are in terms of vulnerabilities by running So, in general, adding more checks to this command might impact the developers in the wrong direction. As well is important to notice that not all the Node.js users are using Npm in all projects (zero dependencies approach/scripting...). I agree with @liran that is easy to use Snyk as an all-in-one tool to understand the dependencies and runtime potential vulnerabilities. As well as repo owner/writer you can get the information in Github as @DanielRuf just said. But for me, the key issue here is that for many developers is very complex and chaotic to evaluate/understand how these vulnerabilities can affect them. Does this open an opportunity to offer a guide on "how to understand CVEs and the impact in your project context" kind of thing? or maybe there are enough resources out there that we can promote? |
Sorry, I realize now that my original description of the script was not totally clear. The script would be run on the CI of the Node.js repo, in order for the Node team to quickly see if a new vulnerability was reported for Node's dependencies. It is not intended (or really useful) for Node.js users, since they can simply use
For Node.js users, definitely (see my clarification above). As for the Node.js repo itself, I don't think GHA will alert for any new vulnerability of Node's dependencies. At least for the C/C++ libraries like brotli which have their source code copy-pasted into Node's repo, there is no way for GH to know that |
|
In short, the use case of the script would be:
So the main point is to have an automated process to detect and report those vulnerabilities, to minimise the time until the Node.js maintainers become aware of the issue. |
RafaelGSS
changed the title
|
Overall +1. I think it would be a great addition to Node.js itself. |
|
Makes more sense now. At least they will still have to evaluate (if Node is affected at all). |
|
PR with the script is open for review here |
|
@facutuesca thanks for explaining a second time, it's much clearer for me and I agree it is useful. I wonder if it's worth bringing up with the Node.js core team who manages security releases to validate first if this workflow is something useful for them or how to make it such. They're very busy and often over-burdened. |
|
@lirantal the reality is that we get questions from the community about vulnerabilities in our dependencies already. Today we have to adhoc follow those up. I'm hoping that once we have the generation automated, that were possible we can pull in experts from some of the depenencies (for example npm) to review and comment proactively. This would let us have clear and visible answers versus having to backchannel to ask questions/figure it out when the project is asked about a publicly reported vulnerability. |
|
Yep, it's all good. I was confused at first thinking this was something to do with the npm ecosystem, but it's been made clear that this is with regards to the Node.js core project and the dependencies that it itself bundles or relies upon. |
This change adds a new script that queries vulnerability databases in order to find if any of Node's dependencies is vulnerable. The `deps/` directory of Node's repo is scanned to gather the currently used version of each dependency, and if any vulnerability is found for that version a message is printed out with its ID and a link to a description of the issue. Refs: nodejs/security-wg#802 PR-URL: #43362 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
|
Some updates:
|
|
Amazing! |
This change adds a new script that queries vulnerability databases in order to find if any of Node's dependencies is vulnerable. The `deps/` directory of Node's repo is scanned to gather the currently used version of each dependency, and if any vulnerability is found for that version a message is printed out with its ID and a link to a description of the issue. Refs: nodejs/security-wg#802 PR-URL: #43362 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This change adds a new script that queries vulnerability databases in order to find if any of Node's dependencies is vulnerable. The `deps/` directory of Node's repo is scanned to gather the currently used version of each dependency, and if any vulnerability is found for that version a message is printed out with its ID and a link to a description of the issue. Refs: nodejs/security-wg#802 PR-URL: #43362 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This change adds a new script that queries vulnerability databases in order to find if any of Node's dependencies is vulnerable. The `deps/` directory of Node's repo is scanned to gather the currently used version of each dependency, and if any vulnerability is found for that version a message is printed out with its ID and a link to a description of the issue. Refs: nodejs/security-wg#802 PR-URL: nodejs/node#43362 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
|
This issue is stale because it has been open many days with no activity. It will be closed soon unless the stale label is removed or a comment is made. |
|
It's now been enabled for 14 and 16 as well so I think we can close this issue. |
Hi all, I'm opening this issue to propose a way of automatically checking Node's dependencies for new vulnerabilities, as part of CI.
The idea is to query both the NVD and the GH Advisory Database with Node's direct dependencies (the ones here) and have a GH action fail in case any new vulnerabilities are found.
I have a working POC in the form of a Python script that:
deps/folder, parsing the current version of each of the dependenciesIf anyone has any comments or suggestions about the approach, please feel free to comment. Also, let me know if I should open a PR with the script in the public Node repo.
The text was updated successfully, but these errors were encountered: