Packages to check dependency vulnerabilities in Rails, Node, php and python.

Packages to check dependency vulnerabilities in Rails, Node, php and python.
5 (100%) 5 votes

  2 minutes

In this article we are going to discuss about the packages that we can use to detect the vulnerabilities in dependencies. Most of the packages try to match the packages from the NVD [ National Vulnerability Database ] which is maintained by the US government.

Lets start with the packages that we can use to detect these vulnerable dependencies.

Node

For node packages we are going to use the nsp package which is a free tool provided and maintained by  Node Security Project.

For installing type

npm install nsp ---global

Head over to the projects root directory

nsp check

It will list the dependencies in the project with all the informations that you may need just like the below image.

 

PHP

For php, generally composer is used as a package manager. For php most used frameworks are Laravel and symfony.

Sensio provides a great way to check the dependencies. It is called security-checker and it comes in bundle with symfony 3 while for symfony 2 . You can get it by updating sensio/distribution-bundle to version 3.0.*

Now if you have the module installed. Run the below command to test for the dependency security vulnerability.

For symfony 2

php app/console security:check 

For symfony 3 and above

php bin/console security:check

You will get output something like below.

Composer dependency vulnerability

 

Ruby

We come to the language whose framework ROR is known for being the best choice if you want to develop something real fast. In this hurry Ruby on Rails use gems which are already written by other and everyone use them. There are so many dependencies that it becomes really hard to track all these.

Thus having gem for testing the vulnerabilities will be really helpful. Then I recommend using bundler-audit.

The tool test for the vulnerabilities in NVD and ruby advisory database. It is recommended, maintained and trusted by rubysec, a ruby security community. Thus it becomes a great choice.

To use it install it using

gem install bundler-audit

Now to test for the dependency security run

bundle-audit

Now it will test  the vulnerabilities and list them like below.

Dependency vulnerability in gem files.

 

Python

For python I am currently researching and will update when i get the best choice one of the options is bandit. We can also use the command

 pip list -o

to list the outdated vulnerabilities.

 

Wow, you are here. Thanks for reading the article will update as soon as I found some good package for python.

Please share and distribute the knowledge.


Gaurav Yadav

Gaurav is a Full Stack Web Developer and Blogger. Sportsperson by heart and loves football. He has experience with various frameworks in php, python and javascript. Loves to explore new frameworks and evolve with the trending technology.

Leave a Reply

Your email address will not be published. Required fields are marked *