nodesecure / vulnera Goto Github PK

Add a new strategy / set of API to support the new OpenSSF project OSV: https://osv.dev/

Also see the official GitHub repository: https://github.com/ossf/malicious-packages

The Node.js Ecosystem Security Database is no more maintained (it's deprecated). So there is no reason to use it anymore for a production application. We should tag as deprecated in README (and also in the strategy markdown page).

• Throw a deprecation warning when we use this strategy (see process.emitWarning)

Here a link to an official Node.js article that explain why: https://nodejs.medium.com/node-js-ecosystem-vulnerability-reporting-program-winding-down-591d9a8cd2c7

The main idea of @nodesecure/vuln is to expose a set of strategies to detect vulnerabilities within a given project.

In my opinion, it would be great to process some benchmarks for each strategy against a dataset of open-source libraries including well-known to rare vulnerabilities.
This would let consumers know the tradeoffs of each @nodesecure/vuln strategy given their project environment and constraints (e.g: npm strategy requires the specific package-lock.json lockfile to be present).

Now that the objective should be clear enough, we must determine three things:

• the amount of data we must collect and then use to provide a representative dataset for each strategy
• the criteria from which we determine that a strategy has effectively caught a given vulnerability in a library (i.e: do we take into account the vulnerability score ("medium", "high", etc) or we just say that whenever a strategy catches a vulnerability we count it)
• the output and format of each benchmark

@fraxken suggested that we could create a /benchmark root directory

SonaType have a REST API to search for vulnerabilities. Not sure how exactly how it work and if this make sense to implement this in Vuln. But we can always try and see.

https://ossindex.sonatype.org/rest

Vuln is originally designed to work with NodeSecure/scanner. However i would like to expand the API to allow any third-party codes to use this package.

The hydratePayloadDependencies method is very specialized for the Scanner. One of my idea is to provide a new method to allow to launch an analysis on a given manifest (package.json). We could ask for a path or even a manifest payload.

However all strategies may not work well with this (Node.js Security WG for example). But we can work step by step to provide support and find solutions for those strategies (no need to rush).

@all-contributors please add @fraxken for code, doc, review, security, bug

Currently, the npm strategy only works for package-lock.json and npm-shrinkwrap.json lock files.

We could actually extend that to pnpm-lock.yaml using the npm strategy using programmatically the library provided by the pnpm organization which uses the same vulnerability registry.

It would allow us to enhance the compatibility of the npm strategy (pnpm + npm would be both supported).

Add a new strategy to support NVD: https://nvd.nist.gov/

The API has a ratelimit but an API key can be requested here

Maybe we need to somehow thinks how to design this given API (We can take inspiration from nodejs-dependency-vuln-assessments

For now, the strategy around Sonatype is not taking into account rate and payload limits imposed by the API.

• Payload limit

When requesting multiple components, there is a payload limit of 128 components per requests). Given that a project might contains thousands of dependencies, we must provide a way to batch requests respecting taking care of that limit.

Issue:
For now, all the dependencies found from the scanner are provided in the body of the request here . This is problematic because when dealing with a lot of dependencies, there is at the moment only one http request fired with all the dependencies, whereas we should batch X requests which each containing a maximum of 128 dependencies by payload. When providing more than 128 components per request, the API responds with an error.

Goal:
Take for instance an array of package urls with 130 components (130 dependencies formatted as package urls). The goal is the create from this array chunks of size 128 and to fire an HTTP request to the API with each chunk.
In this example we would have:

• 1 HTTP request with components from 1 to 128

• 1 HTTP request with components from 128 to 130

• API rate limit

Probably needs an implementation using @myunisoft/httpie.

Issue:
Nothing specific with vuln here, but the interactions with the Sonatype API should handle rate limit through the use of the @myunisoft/httpie http client. Without throttling requests, we are sure to exceed the rate limit of the API.

Goal:
Use @myunisoft/httpie to configure rate limit, there is an example here

Replace old blockquotes with the new one provided by Github: https://github.com/orgs/community/discussions/16925

There is a solution called "trivy" - https://github.com/aquasecurity/trivy

Could be cool to look what is required and if they use a specific database for vulnerabilities. And if there is a way to implement this solution as one of the new strategy for NodeSecure.

@all-contributors please add @tony-go for code, review, bug

The goal of the task is to implement standalone database API like the OSV one for:

• GitHub
• Snyk
• Sonatype
• NVD

The main idea behind that is to use them to refactor strategy (for example in Snyk and Sonatype we kinda do the work ourself).

I created one issue but each of the require a separated PR.

One of the challenge with fetching vulnerabilities from multiple source is that we have to deal with multiple payload with different keys and values.

The ideal would be to find a standard format that would belong to NodeSecure.

We could also add a new option in the "HydratePayloadDependenciesOptions" interface.

I think we should work toward the goal of supporting multiple formats including OSV: https://ossf.github.io/osv-schema/

For the API we should probably rename useStandardFormat to useFormat. This new property take a string with possible enumeration: OSV or Standard

const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {
  useFormat: "OSV"
});

When we attempt to compile with TypeScript and module resolution to ESM (NodeNext) it will throw:

Hello 👋,

One of the thing to explore is to merge multiple strategies in one to maybe get a better end results ?

Any ideas are welcome.

The goal of the task is to add a new Strategy to fetch vulnerabilities from Snyk API.

Screenshot from one of the old code i have made:
https://twitter.com/fraxken/status/1355272169429872642/photo/1

As the screenshot demonstrate we have to make one API call by dependency (that why we need to do in the hydratePayloadDependencies of the strategy).

Snyk API is not free and we need a token (i have a premium org so ask me for access).