Automated Nuget, Bower, Node package checking

When you are working on one or two projects, it is quite easy to check your packages for updates or vulnerabilities, especially when there is a few of them. But what do you do when you have 30+ microservices with 20+ packages (nuget, bower, npm) and developers are within multiple teams? Well – you use your imagination and automate task, like any other you should do.

Tools used:

First, let`s check how each of these work.

First, OssIndex – this tool is used to check our packages against known vulnerabilities. It is command line tool and all you should do, is pass it packages.config file and wait for results. Let`s try to pass something in:

devaudit.exe nuget --file packages.config

And get results:

15:22:38<01> [HOST] [INFO] Using OSS Index as default package vulnerabilities data source for NuGet package source.
15:22:38<01> [AUDIT] [STATUS] Scanning NuGet packages.
15:22:38<01> [AUDIT] [SUCCESS] Scanned 42 NuGet packages.
15:22:38<04> [HOST] [STATUS] Searching OSS Index for vulnerabilities for 42 packages.
15:22:40<04> [HOST] [WARNING] Got 0 total vulnerabilities for none of 42 packages from data source OSS Index.
15:22:40<01> [AUDIT] [INFO] Not reporting package source audit with zero vulnerabilities.

Package Source Audit Results
0 total vulnerabilities found in NuGet package source audit. Total time for audit: 2737 ms.

Great, we scanned our first package for vulnerabilities .

Let`s scan bower and npm packages too:

devaudit.exe bower --file bower.config
13:24:34<01> [HOST] [INFO] Using OSS Index as default package vulnerabilities data source for Bower package source.
13:24:34<01> [AUDIT] [STATUS] Scanning Bower packages.
13:24:34<01> [AUDIT] [SUCCESS] Scanned 22 Bower packages.
13:24:34<03> [HOST] [STATUS] Searching OSS Index for vulnerabilities for 22 packages.
13:24:36<03> [HOST] [SUCCESS] Got 26 total vulnerabilities for 4 packages from data source OSS Index.
13:24:37<07> [AUDIT] [INFO] Evaluated 26 vulnerabilities with 1 matches to package version in 974 ms.

Package Source Audit Results
1 total vulnerability found in Bower package source audit. Total time for audit: 3274 ms.

[1/4] bootstrap [VULNERABLE] 2 known vulnerabilities, 1 affecting installed package version(s): [3.3.7]
--[1/1] Cross Site Scripting (XSS) in data-target attribute 
 --The data-target attribute is vulnerable to Cross-Site Scripting attacks when user-data is supplied to the data-target attribute.
 --Affected versions: <= 3.3.7
 --Id: 8400185169
 --Provided by: OSS Index

[2/4] angular 16 known vulnerabilities, 0 affecting installed package version(s).
[3/4] angular-gettext 1 known vulnerability, 0 affecting installed package version(s).
[4/4] jquery 7 known vulnerabilities, 0 affecting installed package version(s).

Vulnerabilities Data Providers

OSS Index OSS Index is a free index of software information, focusing on vulnerabilities. The data has been made available to the community through a REST API as well as several open source tools (with more in development!). Particular focus is being made on software packages, both those used for development libraries as well as installation packages.

Ups, we have 1 vulnerability, that is something our team should look into.

Now let`s use other tool to check for bower and npm packages. First you need to install this tool, after that its simple. We pass bower.json file and for whatever reason, we are ignoring “angular-local-storage” package:

ncu -m bower -x angular-local-storage --packageFile bower.json

And results:

pdfjs-dist 2.0.220 → 2.0.244

Run ncu with -u to upgrade C:\xxx\xxx\bowerNCU.json

Same goes for node packages:

ncu --packageFile package.json
uglify-js 3.2.2 → 3.3.4

The following dependencies are satisfied by their declared version range, but the installed versions are behind. You can install the latest versions without modifying your package file by using npm update. If you want to update the dependencies in your package file anyway, run ncu -a.

gulp-autoprefixer ^4.0.0 → ^4.1.0 
gulp-changed ^3.1.1 → ^3.2.0 
gulp-shell ^0.6.3 → ^0.6.5

Great, now I can scan my packages for vulnerabilities and updates, all that is left is automation, but how?

All our microservices goes trough pipeline, so – this is place where I can insert “checking” for packages.

I don`t want to transfer/install those tools every time I want to scan packages, too slow right? Let`s build our own API that will accept string (package file content), pass this string to tools and report back results?  And lets put this API on some kind of environment so everyone can use it?

API first, sample code for one of endpoints:

Snippet of endpoint

Now I need to create endpoints for all usecases (node, bower, nuget – devaudit/ncu).

After that, I added new build step to my build server that will collect content of package file and send it to specific endpoint:

$packages = Get-Content "package.json"

$body = @{secret="%post.pass%";packagejson="$packages";microservice=""}

$myUrl = 'https://url/audit/node'

Invoke-WebRequest -Uri $myUrl -Method Post -Body $body -ContentType "application/x-www-form-urlencoded"

Whats missing? Messaging, correct. For that I use Slack. I created a new web hook, created new channel, added interested developers and from now on all teams knows, when there is update or vulnerabilities:

Slack messaging

So, that`s one way to do it and of course, there is a lot to improve, but for now – we are sure, that we will get notified if there is something to look into.

Leave a Reply

Your email address will not be published. Required fields are marked *