| So these bulk scanners exist, and the issue is a solved problem, but none of the "root" repos for the popular language stacks are using them? It seems that Microsoft has built an internal tool that runs such a scan on NuGet (https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packa...), at least against your individual app's packages. (That would be a very rare h/t to Microsoft from me.) EDIT: Apparently, you can also do this with npm packages (https://docs.npmjs.com/auditing-package-dependencies-for-sec...). I don't see any facility to do this with Ruby gems. It looks like the common practice would be to outsource the issue database to GitHub, and let whatever scanner you're using cross-reference that list? What happens when it finds a reported problem? Does it automatically delete that mirrored package, and/or block it from being downloaded or used from the on-prem repo? This is all new to me, and has helped put this in context, but what actual software are you talking about using for analysis? EDIT EDIT: Running `yarn audit` in my main Rails app (just using webpacker to bundle the JS): 97 vulnerabilities found - Packages audited: 1074
Severity: 2 Low | 34 Moderate | 52 High | 9 Critical
I just did a `yarn upgrade` about a week ago, so it's not like I'm completely out of date. What would a centrally-managed SCA do about this situation? |
I could talk at length about this; unfortunately, I'm on my phone with a shotty connection.
The tl;dr is that companies like Snyk make money by requiring companies to pay to check for vulnerabilities once they've been downloaded. There's not necessarily anything wrong with that, but a philanthropic company could make things significantly safer for everyone if they weren't concerned about making money. Initiatives like the OSSF will hopefully have a positive impact, for this reason.