Nowadays most software projects with a “decent size” rely on many software dependencies, or in other words: libraries and tools, developed by other people. That usually are under constant change.
The reasons for these are clear and can go from implementing common patterns and avoid repeating ourselves, to accelerate the development, to use mature implementations and avoid some pitfalls, etc. Sometimes many projects rely on way too many dependencies for simples things (Remember the left-pad fiasco?).
Once these dependencies are loaded, integrated and working as expected, people often forget they are there and many times they stay untouched for long periods of time. Even when newer versions are released, unless something starts breaking, nobody remembers to keep them up to date, a situation that might lead to security vulnerabilities, not in your code but on the code your project depends on.
Of course I’m not telling you anything new, what I pretend to achieve with this post, is to show that there are many tools available to help you fight this problem. When you integrate them on your CI or on another step of your development process, they will keep you informed about what dependencies have known security vulnerabilities and what you should upgrade as soon as possible.
The majority of the programming languages have this sort of tools, so a little search should help you find the one that better suits you stack. Below are some examples:
- Python – safety
- Ruby – Bundler Audit
- Java, .net and others – OWASP Dependency Check
- Rust – Cargo Audit
As an example here is what I needed to do in order to check the dependencies of Hawkpost (an open-source project that I’m deeply involved with at the moment):
$ safety check --full-report -r requirements/requirements.txt safety report --- No known security vulnerabilities found
For most of these tools the basic check is this simple to do and in the long run it might save you from some headaches.
Update (26-06-2018): Added
cargo-audit to the list