Ask HN: How do you check for malware in OSS packages?
What tools would you suggest to scan for malicious packages or dependencies?
7 コメント
Maybe some ideas here: httpss://www.owasp.org/index.php/Source_Code_Analysis_Tools
At work we use a commercial tool for static analysis. From what I have seen it is rather stupid, it produces a lot of false positive security issues about things like allocating memory (potential resource exhaustion vulnerability...)
You also probably want to pin versions of all dependencies, and store them in a repository that you control access to (a good idea for reproducibility, ignoring security).
At work we use a commercial tool for static analysis. From what I have seen it is rather stupid, it produces a lot of false positive security issues about things like allocating memory (potential resource exhaustion vulnerability...)
You also probably want to pin versions of all dependencies, and store them in a repository that you control access to (a good idea for reproducibility, ignoring security).
SAST tools take a lot of work to get up and running. If you're just running them out of the box, you're probably doing it wrong.
I've had the same experience with existing SAST tools.
There are open source tools for CVE checking, which is a good start, there are also commercial alternatives like Whitesource. CSP headers can help. So is only using packages that are actively updated.
What tools have you been using to scan NPM/Python/Ruby/Go packages for malicious dependencies? How do I know if one of the dependencies in my package is not going to steal my NPM credentials, for example?
If you are looking for something that helps you keep your OSS packages secure, then Snyk[0] is doing an excellent job at it.
[0] https://snyk.io
[0] https://snyk.io
Snyk only checks for known vulnerabilities, not if the package itself is malicious.