In Various 3rd Party Vulnerabilities - PSA-2019-09-04 the Drupal Security Team has clarified that 3rd party vulnerabilities will generally not make announcements about vulnerabilities in 3rd party code that is depended on by modules or themes that are hosted on drupal.org.
How can it be checked?
How to check javascript libraries?
- Projects hosted on Github can get security notifications and/or use Dependabot to get pull requests created.
How to check php code?
For libraries pulled in with composer:
- Composer audit, introduced in version 2.4, checks for and lists security vulnerability advisories according to the Packagist.org API.
- Enhanced with the Drupal Dependency Quality Gate Composer Audit plugin
- Friends of PHP Security Advisories compiles information from other projects and is a central clearing point. Can be used by command line to check multiple composer.lock files.
- Sensiolabs Security Checker uses Friends of PHP Security Advisories to check a composer.lock file for vulnerable packages.
- Roave Security Advisories Gets added to your composer.json and works at the point of installing/updating libraries. Depends on the Friends of PHP Security Advisories for information.
Comments
Drupal is secure?
I have been having a conversation about this with colleagues as we have clients for which we are to provide a level of confidence that the code we deliver is secure. I trust the Drupal security team, so Drupal is secure - at least until you run composer and pull in third party libraries. Even if I trust those libraries, what about the libraries they pull in? All it takes is one small, mom+pop code repository to get corrupted and all bets are off. We've seen this happen multiple time with npm packages...
Nothing can be completely secure, but we're considering a virtual cache of packages perhaps based on Artifactory or Nexus where we can run basic CVE and code-quality scanners on new packages that our developers want, and mark previously scanned packages as OK. It won't be perfect, but at least we'll have some basis for making the statement "we've done due diligence and believe these packages to be secure."
Ideally, Drupal.org or Acquia would provide such a service, of course with serious legal disclaimers that they are not guaranteeing that the code is secure, but that it has been checked for known vulnerabilities and CVEs.
Until we or they provide such a service, we're all just crossing our fingers.
Documentation on d.o
Hi,
I have added few pages to track external libraries used in Drupal 8 core. It is created agains 8.7.x and probably outdated in terms of version, but provides the list of libraries. We also have Drupal security advisories to block installing packages with security issues at composer level.
Thank you!
This is very helpful.
Don't want to lose this Slack History
The following was a slack conversation on this... going to stick the conversation here so it's a little more permanent. Formatting isn't beautiful, but mejor que nada.
julia_k Sep 6th at 9:39 AM
Does anyone have any suggestions for monitoring 3rd party library security advisories?
Luke Leber:speech_balloon: 5 days ago
https://github.com/sensiolabs/security-checker may be able to be plumbed into your CI pipeline.
sensiolabs/security-checker
PHP frontend for security.symfony.com
Website
https://security.symfony.com
Stars
1710
https://github.com/sensiolabs/security-checker|sensiolabs/security-checkersensiolabs/security-checker | Feb 1st, 2013 | Added by GitHub
:+1:
1
Luke Leber:speech_balloon: 5 days ago
Similarly, there's a https://www.npmjs.com/package/audit-ci project for node.
npmnpm
audit-ci
Audits npm and yarn projects in CI environments
:+1:
1
greggles 5 days ago
Github does it for some libraries, but not PHP https://help.github.com/en/articles/about-security-alerts-for-vulnerable...
cilefen:sunny: 5 days ago
Isn’t npm audit built in?
MiSc 5 days ago
@cilefen - depends on version of node used in a project.
cilefen:sunny: 5 days ago
retire can scan JS libraries that were not installed with a package manager: https://www.npmjs.com/package/retire
npmnpm
retire
Retire is a tool for detecting use of vulnerable libraries
julia_k 5 days ago
Thanks, everyone! Will check out these suggestions
Lisa Ridey 5 days ago
I’ve been using roave/security-advisories to check for vulnerabilities in third party libraries, with good success.
cilefen:sunny: 5 days ago
AFAIK roave only checks when dependencies change, it isn’t a scanner of existing dependencies: “its only purpose is to prevent installation of software with known and documented security issues”
Lisa Ridey 5 days ago
@cilefen Yes, you need to implement it when you initialize your project.
cilefen:sunny: 5 days ago
I just want to be absolutely clear that roave prevents installing libraries with known security issues but doesn’t scan for existing ones.
greggles 5 days ago
So roave wouldn’t work for a library that is being used on a site and then gets a newly detected problem. That is a very common scenario, I think.
Lisa Ridey 5 days ago
@greggles I believe it rescans on composer update
greggles 5 days ago
Yes, it does seem to. Thanks for clarifying. It’s an interesting strategy, but these nuances make me a bit wary of it.
cilefen:sunny: 5 days ago
The best one IMO these days is the symfony command.
cilefen:sunny: 5 days ago
I refer to https://symfony.com/download, which is newer than the symfony security-checker… for one thing it caches so you can check many 10s of projects quickly and not trigger an API usage error
Interesting tools, thanks.
Interesting tools, thanks.
--
RP
http://www.robertoperuzzo.it
http://www.studioaqua.it
I think my comment on another
I think my comment on another issue is already related to this:
https://groups.drupal.org/node/535733#comment-1165465
Drupal Dependency Quality Gate Composer Audit plugin
Added a reference to my Composer Audit extension that cover Drupal projects better than Composer Audit can OOTB.
https://packagist.org/packages/mxr576/ddqg-composer-audit