Vulnerability Scans
62 views
Skip to first unread message
James Cook
Mar 11, 2022, 6:26:37 AM3/11/22
to Dart Misc
Are there any available tools which will perform vulnerability scans on Dart code?
This is required by control standards in some industries, usually using a vulnerability database for dependency checking.
I have read Google doesn’t contribute to a public vulnerability database, but maintains their own list of issues. If this is accurate, does the company provide tooling to certify code is not using libraries or packages which have known issues with security flaws or exploits? Should Google be doing more to be transparent regarding known vulnerabilities?
James Cook
Mar 11, 2022, 7:33:01 AM3/11/22
to Dart Misc
Did some research this morning.
Google now has the reporting process.
https://dart.dev/security
Google has the data reporting format.
https://github.com/ossf/osv-schema
Google has an open source database for this purpose.
https://github.com/google/osv
Google doesn’t have the priority to surface Dart into these processes or tools.
https://github.com/google/osv/issues/62
Google has started using GitHub Security advisories (per repo?) to publish security issues.
https://github.com/dart-lang/sdk/security/advisories
Google may be embracing GitHub’s advisory reporting, but not showing in Github’s centralized database.
https://github.com/advisories
Google has posted a handful of vulnerabilities to CVE (same 5 as shown in dart/sdk repo)
https://cve.report/software/dart/dart_software_development_kit
Google (and no other commercial or open source vulnerability scanners) exist for Dart at the time of writing. (pub.dev package vulnerabilities, or unsafe coding practices)
Google has no mechanism for tracking vulnerabilities across the thousands of libraries in pub.dev.
Google now has the reporting process.
https://dart.dev/security
Google has the data reporting format.
https://github.com/ossf/osv-schema
Google has an open source database for this purpose.
https://github.com/google/osv
Google doesn’t have the priority to surface Dart into these processes or tools.
https://github.com/google/osv/issues/62
Google has started using GitHub Security advisories (per repo?) to publish security issues.
https://github.com/dart-lang/sdk/security/advisories
Google may be embracing GitHub’s advisory reporting, but not showing in Github’s centralized database.
https://github.com/advisories
Google has posted a handful of vulnerabilities to CVE (same 5 as shown in dart/sdk repo)
https://cve.report/software/dart/dart_software_development_kit
Google (and no other commercial or open source vulnerability scanners) exist for Dart at the time of writing. (pub.dev package vulnerabilities, or unsafe coding practices)
Google has no mechanism for tracking vulnerabilities across the thousands of libraries in pub.dev.
--
For more ways to connect visit https://dart.dev/community
---
You received this message because you are subscribed to the Google Groups "Dart Misc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.
To view this discussion on the web visit https://groups.google.com/a/dartlang.org/d/msgid/misc/95ed0cb7-6d53-4114-b2f9-67b095a9c1b9n%40dartlang.org.
Jonas Jensen
Mar 16, 2022, 6:22:40 AM3/16/22
to Dart Misc, djame...@gmail.com
> Are there any available tools which will perform vulnerability scans on Dart code?
> This is required by control standards in some industries, usually using a vulnerability database for dependency checking.
Ability to scan for dependencies with known vulnerabilities is something we want.
And it's something we're starting to work on..
Exactly how it'll work isn't something we've completely figured out yet.
I think this is for vulnerabilities in the Dart SDK, and packages owned by the Dart team.
Reply all
Reply to author
Forward
0 new messages