Does npms internal npm audit command use the OWASP security standards when assessing packages for vulnerabilities?
Is there any background information on how npm's packages get audited?
OWASP security standards, as its name suggests, is only a compilation of standards security checks for web applications.
In fact, the npm audit command check for outdated dependencies or known issues. That command doesn't accomplish an audit on the fly. Security issues are raised from several sources, like Node.js security team or Ubuntu security notices for example, or by users like you.
Based on the information we have from npm, it's actually hard to tell if the npm security team in charge of evaluating packages vulnerabilities follow all the recommendations about security from OWASP organisation, but I'm sure a large part of it stays in their minds as security professionals.
Note that NPM also rely on Google cloud security scanner and AWS Penetration testing platform to evaluate security issues in packages.
I know it's late, but the Node Audit Analyzer of the OWASP dependency-check toolset actually uses the NPM Audit API for analysis.
Here is a post from the npm blog that describes the npm audit command. I couldn't find any valid resource that describes how npm audits packages, but I think it might have a connection with The Node Security Platform.
Related
npm audit is part of my Bitbucket pipeline. I use quill which introduces an XSS vulnerability. It was shipped via cdn, but now my app serves this dependency itself. npm audit now fails because of the XSS.
I am not sure yet if this vulnerability is even relevant to my use case. But I would like to be able to suppress a vulnerability in npm audit. I tried better-npm-audit, but it doesn`t seem to be able to generate json output needed for the pipeline.
I am confused because it feels like an obvious thing to suppress false positives. But googling around (and also asking chatgpt for help) didn't help.
So: is it possible to suppress false positives in npm audit?
To summarize, the IT security team on my company is using a tool called Prisma Cloud to run vulnerability checks on all nodejs apps (by analyzing package-lock and package.json).
One of the scans reported 5 security problems, ALL on devDependencies.
We use 'npm prune' to remove all devDependencies from the production build, so, in my understanding, the vulnerable libs will never be used on prod.
However, this is what the admin said: "Some of the dependencies CAN have real world repercusions on production if they cause you to write code where your dev env. doesn't accurately reflect production".
I don't want to disagree with him, I know this guy is a very talented security expert, I just want an example to understand better what he said, I'm not much into security.
Thanks!
I am developing an app that needs to use Binance API. I found an NPM package https://www.npmjs.com/package/#binance/connector
But I am not sure if it is an official one or created by someone else. What are the criteria to identify a good npm package by good I mean not containing any malicious code.
The NPM package links to a GitHub repo. The GitHub repo readme links back to the NPM package. So far so good.
The GitHub repo is published under the binance organization, which has the verified tag with comment:
We've verified that the organization binance controls the domain: www.binance.com
So assuming that we can trust the GitHub verification process, this particular NPM package is legit and really comes from Binance.
General rules of thumb to roughly identify a level of trustworthiness of an NPM package:
Published by a verified organization.
Downloads amount. A package with 1k weekly downloads is more likely to be legit, compared to a package with 1-2 downloads a week.
Size of a community around this package. Look for the number of contributors and, official website, support forum with active users. These are the signs that the package is probably all right.
If the package is business critical for your case, always do your own due diligence and look through the code.
i recently built an electron app using node js , html ,css , js
and have been wanting to compile it ive npm installed all options ifound (packager,build,forge) but npm says all have security issues is there asecure way to compile? (compile for windows)
most of the security vulnerabilities are mostly in "build" packages, things that are run during compile time only, and not when the electron/nodejs app is in use, only when it's built/minified/etc, but they are not included in the final product.
Then also are most of those security vulnerabilities usually highly hypothetical, with a high threshold of prerequisites for the weakness to occur.
If you wish to be certain, read the security risk descriptions, what is required, and evaluate if it applies to your system, if it's in a build time package, or a runtime package, and what kind of vulnerability it represents.
if there is a vulnerability in a package that gets included in the app, and it is one that you need to fix because it would pose a serious threat to your end users, check the repository for the package, to see if someone already submitted a pull request for a fix that hasn't made it to the main branch, and merge that into your version that you use.
Anyone can publish their Node.js package to open Node Package Manager (npm) pool.
Is there any security checks for published packages so that I can be sure that a new package won't contain any harmful code?
Also it's interesting to know if there is any voting system for node packages so that I can pick out the most voted package from a bunch of similar node packages?
The Node Security Platform is a tool designed to help developers do just that! You can test your project dependencies for known vulnerabilities in a variety of ways - from the command line, integrated with your CI system, or integrated with github.
The vulnerabilities are discovered via two sources:
A team of seasoned node.js security professionals actively auditing modules on npm.
Submissions from community members, which are verified by the aforementioned team.
It's also free to use the command line tool, as well as integration with open source github repositories.
If you are using npm enterprise, nsp is also partnered with npm to provide sidebar integration. This allows you to see vulnerability information right from the npme web ui, which sounds like what you are looking for.
As far as module popularity goes, there is a website that does this to some degree at nodejsmodules.org. I use it from time to time, but beware - they've got a very expired HTTPS cert.
Disclosure: I am an employee of ^Lift Security, the company behind the Node Security Platform.
You can also use https://nodesecurity.io/ to add security checks into your GitHub pull request flow.
If you perform a search on npmjs.com before pulling a module into your system the index of all packages on npmjs.com takes into account maintenance, quality, etc."
npm search is also a good option for npm package voting.
The npms analyzer continuously analyzes the npm ecosystem, gathering as much information as possible from a variety of sources, including GitHub, David and nsp. Using the collected information, a final score for each package is calculated based on four different aspects: Quality, Maintenance, Popularity, and Personalities