DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Add support for scanning flutter/dart projects
Is your feature request related to a problem? Please describe. I would like to check for security vulnerabilities in flutter/dart projects.
Describe the solution you'd like Add a file type analyzer for pubspec.yml and pubspec.lock files used by flutter/dart.
Describe alternatives you've considered There are none.
Additional context Flutter package documentation: https://flutter.dev/docs/development/packages-and-plugins/using-packages
We accept PR ;)
Honestly, most of the other language/tech stacks have come from PRs.
Is there a rough guide on what I'd have to do to add support for a new language/tech? I'd be happy to look into this when I've got some time
One of the best ways is to look at the analyzer for a language that is similar. I'm not sure if there is a lock file that declares the dependencies or what would need to be parsed. A recently contributed analyzer can be found here: https://github.com/jeremylong/DependencyCheck/pull/4773/files
There is also a somewhat dated write-up on the wiki: https://github.com/jeremylong/DependencyCheck/wiki/Making-a-new-Analyzer - I should really update the doc.
If you get something started, with a sample project as a test case, I'm more than happy to help.
@jeremylong I would be interested to finally implement this now. My first approach is here: https://github.com/sticksen/DependencyCheck
But I´m struggling with how to get the turnaround time shorter than running mvn -s settings.xml install each time.
So my question would be mainly how to test/debug in IntelliJ. It´s not working out of the box.
found a solution, happy to provide documentation on how to best debug in another PR.
So, after the Github Advisory Database supporting dart packages is now a thing, this actually becomes very useful. Does anyone know whether Dependency Check already uses the Advisory Database?
So, after the Github Advisory Database supporting dart packages is now a thing, this actually becomes very useful. Does anyone know whether Dependency Check already uses the Advisory Database?
I can´t see that the GHSA database supports the Dart ecosystem. Can you point me in the right direction? https://github.com/advisories here?
But coming back to your answer: no, DependencyCheck currently does not support it (at least to my knowledge). The project as always accepts PRs I guess 😄
So, after the Github Advisory Database supporting dart packages is now a thing, this actually becomes very useful. Does anyone know whether Dependency Check already uses the Advisory Database?
I can´t see that the GHSA database supports the Dart ecosystem. Can you point me in the right direction? https://github.com/advisories here?
But coming back to your answer: no, DependencyCheck currently does not support it (at least to my knowledge). The project as always accepts PRs I guess 😄
You were already on the right track. It's listed on that page under "Pub": https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apub.
You were already on the right track. It's listed on that page under "Pub": https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apub.
Ah, Pubof course, makes sense, thank you! 🙏
I think with this blueprint it should be doable in a manageable amount of time: https://github.com/jeremylong/DependencyCheck/pull/1771/files
But maybe @jeremylong has a better idea how to introduce the GHSA database into the project?