Packages to check dependency vulnerabilities in Rails, Node, php and python.

[sgmb id=3]

In this article we are going to discuss about the packages that we can use to detect the vulnerabilities in dependencies. Most of the packages try to match the packages from the NVD [ National Vulnerability Database ] which is maintained by the US government.

Lets start with the packages that we can use to detect these vulnerable dependencies.

Node

For node packages we are going to use the nsp package which is a free tool provided and maintained by  Node Security Project.

For installing type

npm install nsp ---global

Head over to the projects root directory

nsp check

It will list the dependencies in the project with all the informations that you may need just like the below image.

 

PHP

For php, generally composer is used as a package manager. For php most used frameworks are Laravel and symfony.

Sensio provides a great way to check the dependencies. It is called security-checker and it comes in bundle with symfony 3 while for symfony 2 . You can get it by updating sensio/distribution-bundle to version 3.0.*

Now if you have the module installed. Run the below command to test for the dependency security vulnerability.

For symfony 2

php app/console security:check 

For symfony 3 and above

php bin/console security:check

You will get output something like below.

Composer dependency vulnerability

 

Ruby

We come to the language whose framework ROR is known for being the best choice if you want to develop something real fast. In this hurry Ruby on Rails use gems which are already written by other and everyone use them. There are so many dependencies that it becomes really hard to track all these.

Thus having gem for testing the vulnerabilities will be really helpful. Then I recommend using bundler-audit.

The tool test for the vulnerabilities in NVD and ruby advisory database. It is recommended, maintained and trusted by rubysec, a ruby security community. Thus it becomes a great choice.

To use it install it using

gem install bundler-audit

Now to test for the dependency security run

bundle-audit

Now it will test  the vulnerabilities and list them like below.

Dependency vulnerability in gem files.

 

Python

We can also use the command

 pip list -o

to list the outdated vulnerabilities.

For vulnerability:

Python dependency security vulnerability checker.

 

Wow, you are here. Thanks for reading the article will update as soon as I found some good package for python.

 
If you like the article join our Facebook group:https://www.facebook.com/groups/327836414579633/ and Linkedin group:https://www.linkedin.com/groups/10441297/

Please share and distribute the knowledge.

Get it on Google Play
Gaurav Yadav

Gaurav is cloud infrastructure engineer and a full stack web developer and blogger. Sportsperson by heart and loves football. Scale is something he loves to work for and always keen to learn new tech. Experienced with CI/CD, distributed cloud infrastructure, build systems and lot of SRE Stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.