In this article we are going to discuss about the packages that we can use to detect the vulnerabilities in dependencies. Most of the packages try to match the packages from the NVD [ National Vulnerability Database ] which is maintained by the US government.
Lets start with the packages that we can use to detect these vulnerable dependencies.
For node packages we are going to use the nsp package which is a free tool provided and maintained by Node Security Project.
For installing type
npm install nsp ---global
Head over to the projects root directory
It will list the dependencies in the project with all the informations that you may need just like the below image.
For php, generally composer is used as a package manager. For php most used frameworks are Laravel and symfony.
Sensio provides a great way to check the dependencies. It is called security-checker and it comes in bundle with symfony 3 while for symfony 2 . You can get it by updating sensio/distribution-bundle to version 3.0.*
Now if you have the module installed. Run the below command to test for the dependency security vulnerability.
For symfony 2
php app/console security:check
For symfony 3 and above
php bin/console security:check
You will get output something like below.
We come to the language whose framework ROR is known for being the best choice if you want to develop something real fast. In this hurry Ruby on Rails use gems which are already written by other and everyone use them. There are so many dependencies that it becomes really hard to track all these.
Thus having gem for testing the vulnerabilities will be really helpful. Then I recommend using bundler-audit.
The tool test for the vulnerabilities in NVD and ruby advisory database. It is recommended, maintained and trusted by rubysec, a ruby security community. Thus it becomes a great choice.
To use it install it using
gem install bundler-audit
Now to test for the dependency security run
Now it will test the vulnerabilities and list them like below.
We can also use the command
pip list -o
to list the outdated vulnerabilities.
Python dependency security vulnerability checker.
Wow, you are here. Thanks for reading the article will update as soon as I found some good package for python.
Please share and distribute the knowledge.