Vulnerability Scans

26 views
Skip to first unread message

James Cook

unread,
Mar 11, 2022, 6:26:37 AMMar 11
to Dart Misc
Are there any available tools which will perform vulnerability scans on Dart code? 

This is required by control standards in some industries, usually using a vulnerability database for dependency checking. 

I have read Google doesn’t contribute to a public vulnerability database, but maintains their own list of issues. If this is accurate, does the company provide tooling to certify code is not using libraries or packages which have known issues with security flaws or exploits? Should Google be doing more to be transparent regarding known vulnerabilities?

James Cook

unread,
Mar 11, 2022, 7:33:01 AMMar 11
to Dart Misc
Did some research this morning.

Google now has the reporting process.
https://dart.dev/security

Google has the data reporting format.
https://github.com/ossf/osv-schema

Google has an open source database for this purpose.
https://github.com/google/osv

Google doesn’t have the priority to surface Dart into these processes or tools.
https://github.com/google/osv/issues/62

Google has started using GitHub Security advisories (per repo?) to publish security issues.
https://github.com/dart-lang/sdk/security/advisories

Google may be embracing GitHub’s advisory reporting, but not showing in Github’s centralized database.
https://github.com/advisories

Google has posted a handful of vulnerabilities to CVE (same 5 as shown in dart/sdk repo)
https://cve.report/software/dart/dart_software_development_kit

Google (and no other commercial or open source vulnerability scanners) exist for Dart at the time of writing. (pub.dev package vulnerabilities, or unsafe coding practices)

Google has no mechanism for tracking vulnerabilities across the thousands of libraries in pub.dev.
--
For more ways to connect visit https://dart.dev/community
---
You received this message because you are subscribed to the Google Groups "Dart Misc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to misc+uns...@dartlang.org.
To view this discussion on the web visit https://groups.google.com/a/dartlang.org/d/msgid/misc/95ed0cb7-6d53-4114-b2f9-67b095a9c1b9n%40dartlang.org.

Jonas Jensen

unread,
Mar 16, 2022, 6:22:40 AMMar 16
to Dart Misc, djame...@gmail.com
> Are there any available tools which will perform vulnerability scans on Dart code? 
> This is required by control standards in some industries, usually using a vulnerability database for dependency checking. 

Ability to scan for dependencies with known vulnerabilities is something we want.
And it's something we're starting to work on..

Exactly how it'll work isn't something we've completely figured out yet.

> Google now has the reporting process.
> https://dart.dev/security

I think this is for vulnerabilities in the Dart SDK, and packages owned by the Dart team.
Reply all
Reply to author
Forward
0 new messages