Vulnerability Scanner
Scan your repos for vulnerabilities (such as dependencies with published security advisories)
Dependencies
- NodeJS
- Docker (for tests and dependency updates)
- Make (because it's just easier that way)
Running
Locally
First, do this setup:
- Copy
.env.distto.envand add appropriate values. - Install node
- Run
npm install
Next, use one of the following commands, depending on what you want to do. Note that if you also pass a URL to a CSV file specifying what versions of PHP and NodeJS various Docker images use, then any use of End-of-Life'd (EOL'd) versions of PHP and NodeJS will also be reported.
Scan an Entire GitHub Organization's Repos
Run this, replacing "ORGANIZATION" with the desired GitHub org. name:
node cli/scan-github-org.js ORGANIZATION "[VERSIONS_CSV_URL]"
Scan a Specific GitHub Repo
Run this, replacing "REPO" with the desired GitHub repo, in the format "repo-owner/repo-name":
node cli/scan-github-repo.js REPO "[VERSIONS_CSV_URL]"
Scan an Entire Bitbucket Workspaces's Repos
Run this, replacing "WORKSPACE" with the desired Bitbucket workspace name:
node cli/scan-bitbucket-workspace.js WORKSPACE "[VERSIONS_CSV_URL]"
Scan a Specific Bitbucket Repo
Run this, replacing "REPO" with the desired Bitbucket repo, in the format "repo-owner/repo-name":
node cli/scan-bitbucket-repo.js REPO "[VERSIONS_CSV_URL]"
Scan an Entire GitHub Organization and Bitbucket Workspace
Run this, replacing "GH_ORGANIZATION" with the desired GitHub org. name and "BB_WORKSPACE" with the desired Bitbucket workspace name:
node cli/scan-gh-bb.js GH_ORGANIZATION BB_WORKSPACE "[VERSIONS_CSV_URL]"
NPM
This library is also published as an npm package for use in other
JavaScript/Node applications:
https://www.npmjs.com/package/@silintl/vulnerability-scanner
AWS Lambda
To run this on AWS Lambda, see
https://github.com/silinternational/serverless-vulnerability-scanner
Testing
To run the (local) tests, simply run make test. For more details, see the
Makefile.
Backwards Compatibility
This repo uses semver, and its public interface (in order to determine what
changes would break backwards-compatibility) is defined as the functions
exported by ./index.js.
Checking Programming Language Versions
Each of the commands for scanning one or more repos also accepts an optional URL to a CSV file with mapping information between Docker images and programming language versions (e.g. PHP, NodeJS).
Docker-language-versions CSV file
Example CSV content:
Docker image,PHP version,NodeJS version
openjdk:8-jdk-alpine,NONE,NONE
php:7.3-apache-buster,7.3,NONE
node:16,NONE,v16
Note:
- The header line needs to use exactly those values.
- The values in the Docker image column should be the exact value used as the
FROMin the Dockerfile. - For Docker images that do include PHP, specify only the major and minor
version (such as
7.3, not7.3.24). - For Docker images that do include NodeJS, enter a
vand the major version (such asv16, notv16.13.1). - For Docker images that do not include the given programming language, use
NONE.
Tip:
One easy way to maintain a URL-accessible CSV file is as a Google Sheet, using
the "File" > "Publish to Web" feature, selecting the desired sheet (tab),
specifying "CSV" as the format option, and using the given URL in calls to this
library.
Missing Docker image values
If your list of vulnerabilities includes a warning like the following...
No record found in spreadsheet for php:7.3-apache-buster
... you simply need to add a row to your CSV file with that Docker image (in
this case, php:7.3-apache-buster) and what version of PHP it uses (in this
case, 7.3).
If you do not know what version of PHP it uses (and if it is a Docker image you
trust enough to run on your local computer), you can run a command like this,
replacing YOUR-DOCKER-IMAGE-STRING with the actual value:
docker run --rm --entrypoint php YOUR-DOCKER-IMAGE-STRING -v
In the example above, that would mean running the following command:
docker run --rm --entrypoint php php:7.3-apache-buster -v
Note:
There is a little get-docker-lang-versions.sh helper script for determining
the PHP, NodeJS, and Python versions (if any) used in a list of Docker images.
However, it may change (and even be renamed) in future changes to this library.
Feel free to use it, but don't depend on its current behavior or filename to
remain unchanged.
For example, you could create a file called docker-images-unknown-versions.txt
with a single docker image per line, then run the following:
cat docker-images-unknown-versions.txt | ./get-docker-lang-versions.sh
That would write out to a docker-lang-versions.txt file the CSV data to use
in your spreadsheet of what programming language versions are used in what
Docker images. There is also a make docker-lang-versions command you can run
to run the above code more easily (and not have to re-read this documenation
every time).
Unknown PHP versions
If your list of vulnerabilities includes a warning like the following...
Unknown PHP version: 8.1
... please submit a PR on this repo to add that PHP version and its EOL date to the "src/php.js" file's list of EOL dates.
To find the End-Of-Life (EOL) date for that version of PHP, go to https://www.php.net/supported-versions and find the latest date any kind of support is planned for that version (typically the "Security Support Until" date).
Thanks!
Unknown NodeJS versions
If your list of vulnerabilities includes a warning like the following...
Unknown NodeJS version: v19
... please submit a PR on this repo to add that NodeJS version and its EOL date to the "src/nodejs.js" file's list of EOL dates.
To find the End-Of-Life (EOL) date for that version of NodeJS, go to https://nodejs.org/en/about/releases/ and look at the "END-OF-LIFE" value for that version in the table near the end of the page.
Thanks!