Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday July 03 2020, @10:41AM   Printer-friendly
from the friend-of-a-friend dept.

More than 75% of all vulnerabilities reside in indirect dependencies:

The vast majority of security vulnerabilities in open-source projects reside in indirect dependencies rather than directly and first-hand loaded components.

"Aggregating the numbers from all ecosystems, we found more than three times as many vulnerabilities in indirect dependencies than we did direct dependencies," Alyssa Miller, Application Security Advocate at Snyk, told ZDNet in an interview discussing Snyk's State of Open Source Security for 2020 study.

The report looked at how vulnerabilities impacted the JavaScript (npm), Ruby (RubyGems), Java (MavenCentral), PHP (Packagist), and Python (PyPI) ecosystems.

Snyk said that 86% of the JavaScript security bugs, 81% of the Ruby bugs, and 74% of the Java ones impacted libraries that were dependencies of the primary components loaded inside a project.

[...] Snyk argues that companies scanning their primary dependencies for security issues without exploring their full dependency tree multiple levels down would release or end up running products that were vulnerable to unforeseen bugs.

So dear Soylentils, how do you track vulnerabilities in libraries that you use in your projects and do you scan beyond direct dependencies?

Previously:
(2020-05-16) Nine in Ten Biz Applications Harbor Out-of-Date, Unsupported, Insecure Open-Source Code, Study Shows


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Friday July 03 2020, @11:45AM (17 children)

    by Anonymous Coward on Friday July 03 2020, @11:45AM (#1015713)

    "Write your own solution."

    That is a two edged sword.
        The good news is that yours is smaller so less chance for bugs.
        The bad news is only one set of eyes looking for the bugs.

    Maybe a better solution is to encourage small, common, well tested libraries.
        That would provide your answer's benefit (low attack surface) but mine also (many eyes looking for bugs).

    So how would one encourage such a thing?
        Perhaps make it easy to rate how much cruft a web page takes when it loads?

    Starting Score:    0  points
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 1, Insightful) by Anonymous Coward on Friday July 03 2020, @11:54AM

    by Anonymous Coward on Friday July 03 2020, @11:54AM (#1015715)

    As always, a mixture of opinions is ideal. Everyone writing their own means slower development, less eyes, less maintainability. Everyone collaborating on one project brings a monoculture and a single point of failure.

  • (Score: 3, Insightful) by HiThere on Friday July 03 2020, @01:50PM (14 children)

    by HiThere (866) Subscriber Badge on Friday July 03 2020, @01:50PM (#1015748) Journal

    The real problem is "dynamic linking" where the particular library that you are using can be updated after you write the code. No language that does that can safely use external libraries. This is one of my problems with go and rust...those languages are designed to be dependent on the net. If you're going to use an external library it should at least match a checksum.

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
    • (Score: 2) by RS3 on Friday July 03 2020, @03:02PM

      by RS3 (6367) on Friday July 03 2020, @03:02PM (#1015763)

      Yes, exactly, and I commented on this above.

      My thought was to download the needed library code and host it yourself, if licensing allows.

    • (Score: 3, Informative) by The Mighty Buzzard on Friday July 03 2020, @03:14PM (9 children)

      Rust does not update library versions for a project unless you foolishly use wildcards in your library version numbers. And even then, once you've built it once on that box you have to explicitly tell it to update the libraries every time you want to. This still doesn't protect you from any system-wide shared libraries being updated by the operating system though.

      --
      My rights don't end where your fear begins.
      • (Score: 2) by HiThere on Friday July 03 2020, @10:48PM (8 children)

        by HiThere (866) Subscriber Badge on Friday July 03 2020, @10:48PM (#1015888) Journal

        OK, I'm not rust expert, and that's not the way I understood cargo as working. The objection still stands in a weaker form, but in that form it applies to all systems libraries. If your system needs to be secure you should include all the libraries you need statically linked. This can get bulky.

        --
        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
        • (Score: 2) by The Mighty Buzzard on Saturday July 04 2020, @04:13AM

          Their library handling is actually pretty sweet even if the libraries themselves are extremely unpolished and constantly breaking compatibility in the quest to use the shiny new coding thing. Have a look into it if you're actually interested.

          --
          My rights don't end where your fear begins.
        • (Score: 2) by fyngyrz on Saturday July 04 2020, @01:36PM (6 children)

          by fyngyrz (6567) on Saturday July 04 2020, @01:36PM (#1016091) Journal

          If your system needs to be secure you should include all the libraries you need statically linked. This can get bulky.

          Static linking, absolutely.

          Bulk: RAM is cheap. Mass storage is cheap. CPUs can address very large amounts of RAM and easily access significant amounts of storage across multiple, very large storage devices. Even very large software can be loaded from mass storage very fast now.

          The time to worry about executable size for desktop machines (and coming soonish for palmtops) is past, IMO. The remaining important goals to reach for these days are:

          • Capability — as always, the user's needs must be addressed
          • Consistency — thing A should work like thing B if at all possible
          • Documentation — For anything non-trivial, this can be critical
          • Efficient algorithm(s) — because CPUs will never be fast enough
          • Maintainability — If you can't maintain it, you probably shouldn't have written it
          • Network independence — if the network breaks, your code should not
          • Limit resistance — don't assume the user's tasks will never exceed your vision
          • Orthogonality — settings should avoid changing other settings
          • OS independence — Every unique OS feature you use is an opportunity for the OS vendor to limit the accessibility of your software
          • Ownership — "licensing" is a plague. If you don't own it, it owns you.
          • Predictability — If you can't explain why or how it works, it's likely dangerous
          • Portability — We don't live in a world with only one software platform
          • Reliability — because unreliable software ranges from annoying to dangerous
          • Security — because execution environments are typically polluted with black hats
          • Stability over releases — don't break things users have already been provided with
          • Stability over host environment "updates" — OS mutation often imposes bitrot from without
          • Usability — the less attention paid to this, the less use it will get

          OPC, with the single exception of well-written and carefully validated public domain code, tends to impede those goals one way or another. And lawyers. Lawyers pollute everything they touch. Shakespeare's Dick the Butcher [wikipedia.org] had it exactly right, if for perhaps the wrong reasons, depending on how you read the intent.

          --
            Government: Designed to provide you with "service" and...
          ...the Media: Designed to provide you with Vaseline.

          • (Score: 2) by The Mighty Buzzard on Saturday July 04 2020, @02:59PM (4 children)

            Okay, roll yourself a statically linked Linux distro. I'm curious to see how enormous it comes in at and if it'll even boot on a machine with less than 32GB of ram.

            --
            My rights don't end where your fear begins.
            • (Score: 0) by Anonymous Coward on Sunday July 05 2020, @01:46AM (3 children)

              by Anonymous Coward on Sunday July 05 2020, @01:46AM (#1016345)

              This made me do the math on one of our test machines. Based on the output of lsof, grepping for "\.so", stating the results and multiplying by the allocation units, the resulting disk space used by shared libraries is 256,081,920 bytes allocated on disk and 31,531,820 bytes of memory. And this is for a machine that is basically running one service and 25 processes total including the counting process, ttys, and ssh or system ones. It'd probably be interesting to see how much bigger that would be on a machine running X/Wayland or general purpose. However, the various elimination optimizations would cut down on some of the needed space.

              • (Score: 2) by The Mighty Buzzard on Sunday July 05 2020, @10:46AM (2 children)

                du -hs reports 698MB for /lib on this box. How much each binary would have added without shared libraries is another matter entirely though.

                --
                My rights don't end where your fear begins.
                • (Score: 0) by Anonymous Coward on Monday July 06 2020, @05:12AM (1 child)

                  by Anonymous Coward on Monday July 06 2020, @05:12AM (#1016852)

                  To be clear count I provided would be the total counting all repeated libraries multiple times to somewhat simulate them being included in each static executable based on lsof output. I also understand that the optimizers would remove unused parts of the code for each executable. Your comment just made me curious as to what some sort of ballpark might be on even a stripped down system. Perhaps if I am bored one day, I'll put the static USE flag and the static* flags in the build chain on one of the systems to see what comes out. I'll then stand there staring at the screen like Oppenheimer wondering what sort of monster I have unleashed.

                  I do find it somewhat interesting that the du -hs on the box is 83MB, just under 12% of your size. And most of that is kernel modules. I'm assuming you box has X11, generic kernels, and other incidental software on it as well, which means your /usr/lib and /usr/*/lib probably add up to a lot more than the 166 MB on the test machine here.

          • (Score: 2) by Pino P on Sunday July 05 2020, @02:24AM

            by Pino P (4721) on Sunday July 05 2020, @02:24AM (#1016349) Journal

            RAM is cheap. Mass storage is cheap.

            Cellular data transfer quota to redownload the package after a security update is not cheap. Nor is mass storage cheap if it is already full and soldered to the mainboard of the paid-for appliance or phone. People are still using 8 GB Android phones where more than half the space is taken by the operating system and two copies of each application: the version that came with the operating system (for use after a factory reset) and the updated version downloaded from the device's app store. And the operating system tends to be incapable of moving a lot of applications to removable storage.

    • (Score: 2) by darkfeline on Friday July 03 2020, @11:01PM (2 children)

      by darkfeline (1030) on Friday July 03 2020, @11:01PM (#1015896) Homepage

      I find the first half of your post reasonable and the second half absurd or ignorant. Go is not only statically linked, but all dependencies are pinned via checksum and minimum specified version (rather than maximum specified version like many language dependency managers) and Go provides both global and private checksum servers and package proxies. It is the most reproducible and privately controllable language dependency manager that I know of, other than vendoring all code directly.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 2) by HiThere on Saturday July 04 2020, @02:05PM (1 child)

        by HiThere (866) Subscriber Badge on Saturday July 04 2020, @02:05PM (#1016101) Journal

        The checksum is good. Minimum specified version is not. It requires that you trust later versions without knowing anything about them. Which is it?

        Yes, I'm relatively ignorant of go. There are lots of languages out there, and I'm not expert in most of them, perhaps any of them depending on what you mean by expert. I read the go documentation and decided that code that was written was too subject to change by people supplying the libraries. Perhaps I was wrong, but a minimum specified version is *not* reassuring. Later versions being malicious is one of the things that have gotten Javascript programs in trouble. Also, I believe, Ruby. IIRC, it once even bit Debian, though they vet the changes pretty strictly. You need to be able to specify the exact version of the library AND the checksum to be secure. Any changes need the same testing as the original version. Well, that's a bit extreme, but it's close to correct. You need a good suite of tests, and changed libraries need to pass those tests without change (including without fixing any mistakes that your test answers depend on).

        There are decent arguments that all code that uses non-system libraries should be run inside of a jail, but usually need for security isn't strong enough to justify that.

        All that said, this is not an ideal world, and one must make do. But there's no reason to make things worse by increasing remote dependencies. Sometimes you must, but for that to be reasonable you need to ensure that they won't change in the future. There are clear advantages to dynamic linking, but they come at the cost of lessened security. When it's links to system libraries one can say "well, if the system is 0wn3d, then there's nothing one can do", but the same doesn't apply to remote code.

        --
        Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
        • (Score: 2) by darkfeline on Saturday July 04 2020, @11:18PM

          by darkfeline (1030) on Saturday July 04 2020, @11:18PM (#1016299) Homepage

          >Minimum specified version is not. It requires that you trust later versions without knowing anything about them.

          Minimum specified version means it uses the oldest version that satisfies the requirements. It does the exact opposite of what you seem to be talking about. Most dep managers like pip will use use the latest version available if you specify >=2.1. If you specify "require 2.1", Go will use the minimum specified version, i.e., 2.1, unless either your package or another explicitly specifies a later version, in which case Go will use the minimum specified version that satisfies that requirement.

          --
          Join the SDF Public Access UNIX System today!
  • (Score: 2, Insightful) by Anonymous Coward on Friday July 03 2020, @05:39PM

    by Anonymous Coward on Friday July 03 2020, @05:39PM (#1015800)

    The bad news is only one set of eyes looking for the bugs.

    But then again, the good news is probably no set of eyes looking for the exploits. When yours is the only project in all the wide Internet, that uses a specific bit of code, it need be a pretty juicy target to recoup the time spent hacking it. With the plethora of low-hanging fruit everywhere, yours being singled out is quite unlikely without a VERY good reason.