SafeNuget (an OWASP project) audits a .NET project for vulnerable Nuget Packages from this github source
There is a misconception that because the package has an old date, that it consequently contains out of date package signatures... creating a circular issue where people don't use or issue pull requests to unsafepackages.xml.*
Screenshot of version history as of 1/17/17
Question
To address the usage and deployment issue, how do I ensure that all new projects leverage this package on File:New?
PS: I hope by asking this question I increase the visibility and viability of this potentially valuable resource.
Related
I'm maintaining some large NodeJS applications(micro-services, apps), which consume many(at least 100+) dependencies.
Updating those dependencies to fix a security vulnerability forces me to spend valuable development time.
Is there any way to automate package updates across repositories?
We're using GitLab for SCM.
I had thought of some options like:
Separating out core dependencies into a base level library.
Maintain a repository that specifies security-cleared dependency versions and repositories to be updated whenever the cleared list changes.
Any additional suggestions/examples?
Just to help shortlist approaches mentioned in the question:
1. Separating core dependencies into a "Core" library.
This can reduce the number of updates. But the libraries based on "Core" sill still have their own dependencies, which may be prone to vulnerabilities and the update cycle must be repeated for them manually. This approach just procrastinate the manual updates.
2. Maintain a repository that specifies security-cleared dependency versions and repositories to be updated whenever the cleared list changes.
Couple of options here:
Article on automating via pipeline scripts
GitHub: Use next-update + Hub CLI
GitLab: Use next-update + Lab CLI
Implement dependabot-core(GitHub) or dependabot-gitlab(GitLab)
Implement renovate.
I have a ST3 package hosted on GitHub and available through Package Control. It has been superseded by a new package that I wrote, but I keep getting bug reports for the old one since many people are still using it.
What is the correct way to remove the option to install the original package from package control, and ideally from GitHub if possible, without messing anything up for users who currently have the old package installed?
Specifically, will submitting a pull request to Package Control to remove the old package, and/or deleting the old package's github repo, cause the old package to disappear from people's Sublime Text?
I strongly suggest reading through the package developer docs, especially the section entitled Renaming a Package, as they explain everything in detail. Essentially, the easiest path would be to following the directions for renaming a package, and at the same time change the URL to your new Github repo. This way, the old packagecontrol.io page will no longer be available, and upon restart users of the old package should be upgraded to the new one.
I'd also recommend reading through the Package Control Channel's issues to see if this issue has come up before. Worst case scenario, you submit your PR and it gets rejected for some reason, but they'll explain what you need to do differently.
Anyone can publish their Node.js package to open Node Package Manager (npm) pool.
Is there any security checks for published packages so that I can be sure that a new package won't contain any harmful code?
Also it's interesting to know if there is any voting system for node packages so that I can pick out the most voted package from a bunch of similar node packages?
The Node Security Platform is a tool designed to help developers do just that! You can test your project dependencies for known vulnerabilities in a variety of ways - from the command line, integrated with your CI system, or integrated with github.
The vulnerabilities are discovered via two sources:
A team of seasoned node.js security professionals actively auditing modules on npm.
Submissions from community members, which are verified by the aforementioned team.
It's also free to use the command line tool, as well as integration with open source github repositories.
If you are using npm enterprise, nsp is also partnered with npm to provide sidebar integration. This allows you to see vulnerability information right from the npme web ui, which sounds like what you are looking for.
As far as module popularity goes, there is a website that does this to some degree at nodejsmodules.org. I use it from time to time, but beware - they've got a very expired HTTPS cert.
Disclosure: I am an employee of ^Lift Security, the company behind the Node Security Platform.
You can also use https://nodesecurity.io/ to add security checks into your GitHub pull request flow.
If you perform a search on npmjs.com before pulling a module into your system the index of all packages on npmjs.com takes into account maintenance, quality, etc."
npm search is also a good option for npm package voting.
The npms analyzer continuously analyzes the npm ecosystem, gathering as much information as possible from a variety of sources, including GitHub, David and nsp. Using the collected information, a final score for each package is calculated based on four different aspects: Quality, Maintenance, Popularity, and Personalities
Are there any plans for the ServiceStack packages to start using the SemVer standard? We just had an unfortunate circumstance where we were broken by the interface breaking changes introduced in 4.0.44 from 4.0.43 around OrmLite.
We are a sizable commercial customer and have a custom implementation of a OrmLiteDialectProvider for one of our DBMSs, it all seemed good upon the initial upgrade in our web application, however as part of testing the changes around type converting broke our system. This wasn't initially evident as part of the upgrade because our custom implementation is in a NuGet package which overrides OrmLiteDialectProvider.ConvertDbValue on version 4.0.38 which is now gone. There were no binding issues because it is only a minor version difference.
NuGet adopted SemVer back in version 1.6.
Having the SemVer standard would make it a lot easier for us to know when interface breaking changes have been made, without having to dig through the Release Notes page.
NOTE: The release also didn't indicate that the old method had been removed and upgrading would break any custom implementations.
UPDATE FROM RESPONSE
Anyway, fair enough answer. I can appreciate it would be difficult to track each package individually. In our case we wrote a custom dialect provider as we have a legacy DBMS that wasn't supported and this appeared to be the way we were supposed to add the support. We wanted to use ORMLite because we use the rest of ServiceStack and it's a fantastic product.
The new way to support the types is a great improvement and actually made our implementation easier.
We actually ran into this issue because we do always keep our ServiceStack packages inline and were upgrading the ASP portion for some fixes to the WSDL generation and this came along as part of our upgrade.
ServiceStack adopts a single rolling version for all NuGet packages which all share the same Version number. Of all ServiceStack's 60 NuGet packages it's likely there's a breaking change to at least one of the packages so semver would be useless, you should also never mix and match different versions of ServiceStack together - when you upgrade, upgrade all packages to reference the same package versions. We do aim to keep user-facing breaking changes to a minimum, by looking to deprecate old API's first, maintain parallel API versions for a while then list the new API's release notes.
IOrmLiteDialectProvider is not a user-facing interface
However IOrmLiteDialectProvider is not considered a user-facing interface since it should be extremely rare that anyone implements their own custom provider. It's also the interface for specialization for all RDBMS's and often changes with every release to support new features, internal refactoring, optimizations, etc. E.g. implementing Type Converters was a major internal refactor that required changes to IOrmLiteDialectProvider but did not affect OrmLite's external user-facing API, later releases includes optimizations requiring further changes, again this doesn't affect OrmLite's external user-facing API.
SemVer won't help here, every ServiceStack version potentially has a breaking change in some of the packages and we have no intention to complicate each release by versioning each of the individual packages differently. The issue you're having is depending on an unstable Interface that's not intended for customization. It's not treated as a user-facing API so we don't try to maintain compatibility with existing versions or publish breaking changes which happens nearly every time we add features / optimizations to OrmLite. You should instead check the commit history of
IOrmLiteDialectProvider for any changes to this interface.
I'm browsing Nuget libraries from an author and see questionable content.. something that doesn't have the same quality as some of the prior work I've seen.
How do I know that the author of a Nuget package is really that person?
Can I extend that trust into the built-in update process of Nuget?
The "author" is simply metadata that is included in the .nuspec file. See (http://docs.nuget.org/docs/reference/nuspec-reference). This can be different than the package owner/creator.
In the beginning when NuGet was starting out, there were a few people that were creating packages for projects that they didn't author mainly to get the package in the repository.
Now that NuGet is more established, it is recommended that people contact the project owner and have them create their own NuGet package.
For packages that have already been uploaded to the repository by someone other than the author, the author can request to have the ownership transferred to them.
Since there's no guarantee that the package creator is the original author, I'm not sure how that affects trust. However, if you install a package, it is pretty safe to say that updates will either be from the same person that created the initial package, or potentially it will have transferred to the actual author of the project.
In other words, trust will likely be the same or perhaps better (if actual author), but seldom worse than the original package you installed.
Hope that helps.
I know this is a fairly old question, but this is the best answer I've found. I'd like to add my $.02 to the till. I've got a couple of packages on nuget.org that are based on another package. Unity.Mvc3.VB, Unity.Mvc3.DLL, and I'm working on a Unity.Mvc4.VB package. They're all based on Unity.Mvc3 from devtrends. The DLL project basically just installs the assembly reference for Unity.Mvc3 without the c# source code files so that it's a little easier to use in projects of other languages. The VB package(s) include VB.Net versions of the C# source files. Since I didn't write anything other than the nuspec file in the DLL package, I just listed Paul Hiles as the author and myself as the package owner.
For the VB package(s), again I'm listed as the owner, but for the author I list Paul and myself with each of our contributions in parenthesis like so:
The idea is that I'm giving credit to the original author of my derivative work.
Kiliman's answer is correct and comprehensive. I would like to add that it is up to the community to start writing reviews of nuget packages in the NuGet Gallery. Reviews are very few and far between and they have a star-rating system, so if you don't think a package is useful, or if you have concerns about a particular package, write them there and help your fellow programmers.