Query

[Amit Agarwal]

Dear Jeremy, 

Whn is the feature to identify vulnerable client side frameworks like JS, EXTJs etc be available for use.

Thanks & Regards,

Amit Agarwal.

[Jeremy Long]

I've been tinkering with identifying JavaScript libraries - both to support Node.js and client side libraries like JQuery, YUI, etc. I am trying to solve some problems with false positive/negative; due to these problems I don't feel it is ready to publish yet. I'm hoping to have this done before the end of the year.

--Jeremy

[Jon dB]

I am looking for a nodeJS solution. Did you have any luck integrating it into DC?

Jon

[Jeremy Long]

Jon,

This is on my todo list - however, I have not had time to implement it yet. Additionally, Node.js may present some challenges in trying to collect evidence to do library identification. I am not much of a node.js developer (or rather, I'm in the consulting world what they call an expert - I've compiled and run hello world). So any tips in the Node.js world to perform library identification would help. Currently, the plan was to parse out the header comments of JS files to look at Copyright information and parse file names. If you can tell me of more accurate sources of vendor, product, and version information for node.js projects I'd love to know as it will help implementation.

--Jeremy

--
You received this message because you are subscribed to the Google Groups "Dependency Check" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dependency-che...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jon Debonis]

I'm not an expert either.

Manually, I'm looking at package.json files which npm (node package manager) uses to install dependancies.

Ran across this site as well. Looking at their vulnerabilities, they aren't getting cve's. :(

http://blog.nodesecurity.io/2015/01/21/tooling

Jon

--

Jon Debonis

VP Information Security / CISO

Blend Labs Inc

j...@blendlabs.com

Phone: 415-484-1123

[ma...@srcclr.com]

itsComplicated(https://www.npmjs.com/policies/disputes).(_smug_grin);

You will need to work with NPM (npm -g list on the package.json and use https://docs.npmjs.com/api/npm and https://docs.npmjs.com/api/search) 

Zed Shaws (an early OWASP guy BTW) explains why not to install as root. Hint i.e watch out for strange spawning shells from running npm install from someone you don't trust or fail the build 50% of time, pick your poison. ;-) http://stackoverflow.com/questions/4938592/how-why-does-npm-recommend-not-running-as-root

Tip: A lot of Node vulns don't make CVE's and it turns out many Node developers just fix and remove previous versions real fast so matching signatures on older code isn't reliable and a lot just gets silently fixed. 

[Visser, Dale]

It looks like https://nodesecurity.io/ is dealing with the problem of vulnerable dependencies in the node.js/npm space, and doing it quite nicely. They provide both the database and the tooling. Browsing a few of their advisories, I see that they give a “CVE status” as well.

 

I would still like to see Dependency Check tackle scripts that land on the client side, though. For example: jQuery, Angular, and literally thousands of smaller libraries. For reasons Jeremy already stated, this will be challenging.

 

Best regards,

Dale Visser

[Jeremy Long]

Dale,

Thanks, I hadn't seen that project. I'll add it to my list of "related projects" that I am building. (see https://github.com/jeremylong/DependencyCheck/blob/master/src/site/markdown/related.md).

--Jeremy

[Jeremy Long]

Mark,

Trust me, I know its complicated. Regarding the fact that Node.js vulns don't make CVEs is definitely not unique to Node. I've talked to people that were building vulnerability lists by monitoring the commit logs of the projects they were interested in. Developers don't care about CVEs - security peeps do. If a developer finds a bug (security related or not) chances are they fix it and move on. Developers are not looking for more paperwork.

--Jeremy