DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

Add support for scanning flutter/dart projects

Open felix-barz-brickmakers opened this issue 4 years ago • 4 comments

Is your feature request related to a problem? Please describe. I would like to check for security vulnerabilities in flutter/dart projects.

Describe the solution you'd like Add a file type analyzer for pubspec.yml and pubspec.lock files used by flutter/dart.

Describe alternatives you've considered There are none.

Additional context Flutter package documentation: https://flutter.dev/docs/development/packages-and-plugins/using-packages

felix-barz-brickmakers avatar Jul 21 '20 15:07 felix-barz-brickmakers

+1

sticksen avatar Oct 14 '21 12:10 sticksen

We accept PR ;)

Honestly, most of the other language/tech stacks have come from PRs.

jeremylong avatar Oct 15 '21 11:10 jeremylong

Is there a rough guide on what I'd have to do to add support for a new language/tech? I'd be happy to look into this when I've got some time

partnerizeJosh avatar Sep 09 '22 16:09 partnerizeJosh

One of the best ways is to look at the analyzer for a language that is similar. I'm not sure if there is a lock file that declares the dependencies or what would need to be parsed. A recently contributed analyzer can be found here: https://github.com/jeremylong/DependencyCheck/pull/4773/files

There is also a somewhat dated write-up on the wiki: https://github.com/jeremylong/DependencyCheck/wiki/Making-a-new-Analyzer - I should really update the doc.

If you get something started, with a sample project as a test case, I'm more than happy to help.

jeremylong avatar Sep 10 '22 13:09 jeremylong

@jeremylong I would be interested to finally implement this now. My first approach is here: https://github.com/sticksen/DependencyCheck

But I´m struggling with how to get the turnaround time shorter than running mvn -s settings.xml install each time.

So my question would be mainly how to test/debug in IntelliJ. It´s not working out of the box.

sticksen avatar Sep 21 '22 09:09 sticksen

found a solution, happy to provide documentation on how to best debug in another PR.

sticksen avatar Sep 21 '22 18:09 sticksen

@sticksen additional documentation would be great.

jeremylong avatar Sep 26 '22 11:09 jeremylong

@sticksen additional documentation would be great.

There it is: #4884

sticksen avatar Sep 26 '22 14:09 sticksen

So, after the Github Advisory Database supporting dart packages is now a thing, this actually becomes very useful. Does anyone know whether Dependency Check already uses the Advisory Database?

felix-barz-brickmakers avatar Oct 12 '22 13:10 felix-barz-brickmakers

So, after the Github Advisory Database supporting dart packages is now a thing, this actually becomes very useful. Does anyone know whether Dependency Check already uses the Advisory Database?

I can´t see that the GHSA database supports the Dart ecosystem. Can you point me in the right direction? https://github.com/advisories here?

But coming back to your answer: no, DependencyCheck currently does not support it (at least to my knowledge). The project as always accepts PRs I guess 😄

sticksen avatar Oct 12 '22 14:10 sticksen

So, after the Github Advisory Database supporting dart packages is now a thing, this actually becomes very useful. Does anyone know whether Dependency Check already uses the Advisory Database?

I can´t see that the GHSA database supports the Dart ecosystem. Can you point me in the right direction? https://github.com/advisories here?

But coming back to your answer: no, DependencyCheck currently does not support it (at least to my knowledge). The project as always accepts PRs I guess 😄

You were already on the right track. It's listed on that page under "Pub": https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apub.

felix-barz-brickmakers avatar Oct 12 '22 14:10 felix-barz-brickmakers

You were already on the right track. It's listed on that page under "Pub": https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apub.

Ah, Pubof course, makes sense, thank you! 🙏

I think with this blueprint it should be doable in a manageable amount of time: https://github.com/jeremylong/DependencyCheck/pull/1771/files

But maybe @jeremylong has a better idea how to introduce the GHSA database into the project?

sticksen avatar Oct 12 '22 14:10 sticksen

Since the dart analyzer is marked as experimental and there is no discussion forum, I'm asking here. It seems to me that the findings of the dart analyzer are often bogus, they are mixed up with similarly named npm packages. E.g. the dart dependency fake_async: 1.3.1 is reported as

[pkg:pub/[email protected]](https://ossindex.sonatype.org/component/pkg:pub/[email protected]?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1)  (Confidence:Highest)
[cpe:2.3:a:async_project:async:1.3.1:*:*:*:*:*:*:*](https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aasync_project&cpe_product=cpe%3A%2F%3Aasync_project%3Aasync&cpe_version=cpe%3A%2F%3Aasync_project%3Aasync%3A1.3.1)  (Confidence:Highest)

Interestingly, the confidence is Highest. Is this already known and the reason why it's marked experimental?

cpfeiffer avatar Jun 23 '23 15:06 cpfeiffer

It is marked as experimental as no one has spent time figuring out how to reduce FP and FN. We will likely incorporate the GHSA data in Q4 2023 at which time we can improve the analyzer a lot.

jeremylong avatar Jun 27 '23 10:06 jeremylong