Your code is highly vulnerable to external malicious attacks, and attackers are constantly coming up with new and innovate ways of injecting their code into your apps/websites.
One way is by relying on you to miswrite the dependency name while adding it to your project, for example, goggle instead of google. This kind of attack is called typosquatting.
Another kind is a dependency confusion attack. This is where the attacker will look for your private dependencies and then create the exact same package and publish it in public repositories so the next time you try to build your project you will pick up this attacker’s package.
To prevent attacks like these, it’s vital to check and monitor our dependencies. There are many tools that can help you do this. In cybersecurity, they’re called Software Composition Analysis (SCA) tools. They’re easy to use, and they keep your code safe and secure.
In this article, I will share some of the best ones, listed in no particular order.
OWASP Dependency-Check
The OWASP Dependency-Check is a free open-source tool that aims to detect publicly disclosed vulnerabilities within a project’s dependencies by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If a CPE is found, the tool then generates a report linking to the associated CVE entries.
OWASP Dependency-Check can be easily integrated with other tools, such as CLI, Jenkins Plugin, Circle CI Orb, SonarQube Plugin. To get started, you first need to set up Java, then type the following into your CLI: > .\dependency-check.bat -s C:\MyProjectRoot\
Supported languages: full: Java and .Net; experimental: Ruby, Node.js and Python
Additional Resources:
OWASP Dependency-Check Project | OWASP
https://jeremylong.github.io/DependencyCheck/
OWASP Dependency Check – Visual Studio Marketplace
Sonatype Lift
Sonatype Lift comes in both a free version for public repositories, as well as a paid version with several options to choose from depending on your needs. Alongside checking your dependencies, it also checks your source code, providing feedback as comments in code review. It can easily integrate with GitHub, GitLab, and Bitbucket.
Language support: Java, C, C++, JavaScript, Python, Golang, Ruby, Kotlin, Shell, Haskell, and Markdown.
Package Analysis
Package Analysis is another free open-source tool. It performs analysis of packages that have been uploaded to open-source repositories, scanning for malicious activity and notifying users if something is suspicious. As of the writing of this blog, Package Analysis is still in its early phases, which is not to say that the prototype version isn’t a great tool as is on its own.
Language support: Node, Python (for now, though more may be added as the tool moves away from the prototype)
Additional Resources:
GitHub – ossf/package-analysis: Open Source Package Analysis
Debricked
Debricked is considered “free forever”, with the only limitation being that you get 100 scans per month. It also provides on-premise hosting, but only as part of its paid enterprise plan. Debricked continuously scans, fixes, and prevents vulnerabilities, and it notifies users when any are uncovered. Another great thing about it is that it has stellar documentation, and you can effortlessly find information on anything you need. It works with CI/Build systems such as GitHub, Circleci, BuildKite, GitLab, Bitbucket, Azure DevOps, Travis, Jenkins, Bamboo, and Teamcity.
Language support: C# [NuGet and Paket], Go, Java & Kotlin [Gradle, Maven and Bazel], JavaScript [NPM, Yarn and Bower], Objective-C & Swift [CocoaPods], PHP [Composer], Python [Pip], Ruby [Gem], Rust [Cargo]
Snyk Open Source
The Snyk Open Source tool also has both a free and a paid option, with the free plan offering 200 open-source tests per month. Synk prioritizes issues for you and provides automated remediation advice, as well as useful documentation and seamless integration. It also provides continuous integration with CLI, Jenkins, TeamCity, Bitbucket Pipelines, Azure Pipelines, Circle CI, Terraform-Cloud, and SnykAPI. Its other plans are pricey, but the free version should be enough for your needs.
Language support: .Net [Nuget, Paket], C & C++, Elixir [Hex], Go [Go modules, dep, govendor], Java [Gradle, Maven], JavaScript [npm, yarn], Swift and Objective-C [CocoaPods], PHP [Composer], Python [pip, Poetry, pipenv], Ruby [Bundler], Scala [sbt]
Additional Resources:
Identifying and resolving security code vulnerabilities using Snyk in AWS CI/CD Pipeline | AWS DevOps Blog (amazon.com)
WhiteSource Bolt
WhiteSource Bolt is free for open-source components. It supports both public and private repositories. Integration with Azure DevOps and GitHub is also built in. The only catch with this tool Is that your Azure DevOps organization must be connected to an Azure Active Directory via Organization Settings > Azure Active Directory.
Language support: C, C#, C++, Go, Java, JavaScript, Objective-C, PHP, Python, and Ruby
Additional resources:
WhiteSource Bolt: Find & Fix Open Source vulnerabilities (whitesourcesoftware.com)
Github’s Code Security and Analysis
Github’s Code Security and Analysis is free for public repositories. There is also an Advanced Security option available as part of the enterprise plan, which costs $21/user/month). This tool provides a dependency graph and alerts you when a vulnerability is found in a dependency. An added feature is that you can also upgrade dependencies.
To turn Code Security and Analytics on in your GitHub account, go to Your profile image > Settings > Security > Code security and analysis (see photo below).
To adjust the security setting for a specific repository, go to: Specific repository > Settings > Security > Code Security and analysis
Language support: C#, Go [Modules], Java [Maven], JavaScript [npm, Yarn], PHP [Composer], Python[pip], Ruby [RubyGems], Scala [Maven], TypeScript [npm, Yarn]
Additional resources:
https://docs.github.com/en/repositories/managing-your-repositorys-settings-a…
https://docs.github.com/en/code-security/code-scanning
https://github.com/features/security/software-supply-chain
Gitlab’s Dependency Scanning
Gitlab’s Dependency Scanning tool may be limiting in its cost (it’s only available as part of an Ultimate plan at ($99/user/month), but it automatically offers solutions for some vulnerabilities.
Language support: Ruby, PHP, C, C++, Go, Java, JavaScript, .Net, C#, Python, Scala (for more details see this link)
Open Source Insights
Google’s free Open Source Insights provide you with a complete and accurate view of the entire dependency graph. It also provides you with security advisories.
Checkmark’s DustiLock
DustiLock is a free tool that flags your dependencies depending on whether or not they’re susceptible to Dependency Confusion attacks.
Language support: Python – (requirements.txt), JS – npm (package.json)
Prevention is better than cure. In life and in code.
As a Security Specialist and Ethical Hacker, I cannot recommend these tools enough. Everyone, especially DevOps engineers, should be using them to add an additional layer of security to their coding practices. If anything, both GitHub and GitLab have built-in protection that can be easily enabled without having to sign up for additional services. Still, it would benefit both you and your code if you can invest some time in finding the right Software Composition Analysis tools (SCA). It will save you from potential headaches down the line in case of a malicious attack.