shards icon indicating copy to clipboard operation
shards copied to clipboard

Published 20 hours ago verified publisher icon crystal-lang

Add security vulnerability checking

Open watzon opened this issue 5 years ago • 11 comments

GitHub announced some new security features today which, as far as I understand, are language agnostic in their execution for the most part. One of those is the ability for maintainers of a project to work on security vulnerabilities in a private environment and then notify the community of that vulnerability once it's patched.

They said that they'll be opening an API which would allow you to check if a particular dependency has any security vulnerabilities, and it would be amazing if we could integrate that functionality directly into shards (in a similar way to how npm warns of vulnerabilities) possibly with the ability to automatically fix the vulnerabilities by patching the shard.yml file.

I don't know if the API is available quite yet, but I figured it would be good to have a discussion about this since security should be top priority for everyone.

watzon avatar Sep 18 '19 20:09 watzon

It would be nice to have a security command, and printing warning messages on install, yes. The GitHub API is in preview (RepositoryVulnerabilityAlert in the GraphQL v4 API).

If someone wants to play with this.

ysbaddaden avatar Sep 19 '19 08:09 ysbaddaden

I've been poking at the preview API, and it's not exactly responding in a manner that I expect.

From what I gather, a repo owner must enable data access for GitHub to scrape dependencies first, which can alert a repo owner of packages used in their repo may contain published vulnerabilities.

Do we know if GitHub is checking shards.yml files yet? It doesn't appear so from their current ecosystem list.

The results of these alerts are private to the repo owner.

A repo may also elect to publish a public-facing security advisory (in beta) - and this is likely the API that shards ought to look at when evaluating versions. However, I don't yet know how these advisories turn up in a public API.

miketheman avatar Sep 23 '19 11:09 miketheman

I tried to contact GitHub in the past regarding the detection of dependencies, but I failed to get an answer whether there is something on our end we can do to get that feature.

bcardiff avatar Sep 23 '19 13:09 bcardiff

@bcardiff I did that too, with no followup so far.

Sija avatar Sep 23 '19 16:09 Sija

@bcardiff @Sija I'm pretty sure they use dependabot, which is open source. Someone could open a PR for Crystal support.

watzon avatar Sep 23 '19 22:09 watzon

A project owner (may a collaborator too) can create draft advisories from the Security pane, allowing to discuss and work in private on a fix, then, you can publish it. Once publicly available, we should be able to list it using RepositoryVulnerabilityAlert from the GraphQL API.

Now, this is nice, but it's for sending GitHub notifications, and having some history of advisories. It doesn't seem to have a template for affected versions, so it's not meant for automated analysis by a tool as discussed here (notify security issues on install). We could require a template, or an embedded YAML in the advisory, but that's kinda error prone.

ysbaddaden avatar Sep 24 '19 08:09 ysbaddaden

What about non-github repos? Or malware repos that don't willingly report? Or repos that depend on malware repos that the author no longer maintains?

didactic-drunk avatar Apr 18 '20 17:04 didactic-drunk

@paulcsmith of the Lucky Framework is now working in GitHub. maybe he will have some know how to help move this along.

rishavs avatar May 03 '20 16:05 rishavs

This is an something important to implement - but I think checking for vulns should also have a vendor independent solution too, rather than just relying completely on a GitHub feature.

I know other languages have advisory DBs (ruby-advisory-db, Python's safety-db). Could we consider something similar in addition to Github's own service? I'd imagine a system like NPM's advisory service is probably out of the question given shards aren't hosted in a centralised location.

PercussiveElbow avatar Aug 13 '20 13:08 PercussiveElbow

@PercussiveElbow i've wanted to work on an advisory db for a while, and i've finally got some downtime. i think i've got some solutions for the lack of a centralized repository, i'll start working on a proof of concept and update here if i get somewhere

ghost avatar Nov 15 '20 22:11 ghost

There's no need for a centralized registry to track vulnerabilities. It might actually be even better to have an advisory db separate from package discovery. Essentially, such a db is just a list which references packages and affected versions. That totally works without a registry. It just needs to use the established reference mechanism already used for shards.

The requirements of an advisorydb are in no way specific to the shards ecosystem. So there's no need for a tailored solution to track vulnerabilities. So I see great potential for relying on something that already exists. I'm not much familiar which options are available. But taking a look at how this is setup for other dependency ecosystems should give a good understandig. Maybe we can just use https://github.com/rubysec/ruby-advisory-db or something similar (perhaps requires a few modifications). A multi-purpose database like https://snyk.io/vuln may also be an option.

I'd be happy to integrate information from an advisory database into https://shardbox.org.

straight-shoota avatar Nov 16 '20 14:11 straight-shoota