-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
This is really cool to see because this is the #1 problem with current tools (as you said). I call it "alert fatigue" in my head because it's meaningless when you have 100+ vulns to fix but they're 99% unexploitable.
I have a bit of a bone to pick with this space: I've been working on this problem for a few months now (link to repo[0] and blog[1]).
My background is Application Security and, as is often the case with devs, rage fuels me in my desire to fix this space. Log4Shell helped too.
As another comment said, doing this in a language agnostic way is a big PITA and we haven't fully built it yet. We are using SemGrep to do very basic ststic analysis (see if vulnerable function is ever imported + called). But we're not doing fancy Inter-process taint analysis like CodeQL can.
(We have a big Merkle tree that represents the dependency tree and that's how we are able to make the CI/CD check take only a few seconds because we can pre-compute.)
Anyway, if you have a second to help, we have a GitHub App[1] that you can install to test this out + help us find bugs. It's best at NPM now but we have basic support for other languages (no dep te analysis yet).
There are so many edge cases with the ways that repos are setup so just have more scans coming in helps a ton. (Well, it breaks stuff, but we already determined that rage sustains me.)
Thank you. climbs off of soap box
0: https://github.com/lunasec-io/lunasec
1: https://www.lunasec.io/docs/blog/the-issue-with-vuln-scanner...
2: https://github.com/marketplace/lunatrace-by-lunasec
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
This is super helpful for me as a Dapr maintainer (we have a ton of third party integrations we compile into our binary). Found and upgraded a vulnerable dependency and then quickly added this check to our CI/CD workflow.
https://github.com/dapr/components-contrib/pull/2054
-
It's important to read the caveats: https://github.com/golang/go/blob/master/src/cmd/link/intern..., the most important of which is:
// The third case is handled by looking to see if any of:
-
What's the difference between this a https://github.com/securego/gosec?
Related posts
-
We have getrandom at home
-
Use CDK to deploy a complete solution with Kafka, App Runner, EKS and DynamoDB
-
Glojure: Clojure interpreter hosted on Go, with extensible interop support
-
Show HN: Cerbos. Open source, horizontally scalable, stateless authorization
-
Cerbos: Fine-Grained Access Control in Days NOTÂ Months