To provide some confidence that there are no lurking serious security concerns with any of the JavaScript modules used in the vendor solution (and equally important - to identify those that are at, or beyond, end-of-life) - I would like to find a tool that would allow me to submit a file with the list of module names (with version numbers) - via a command line tool - and receive back some form of a report/analysis - identifying which ones may pose a high risk.
This posting is a placeholder for tools that I find that might be of utility in this effort - and hopefully of use to some future reader.
First, a quick survey of a Google search to help identify initial problem/solution domain articles to review:
- https://documentation.codeship.com/basic/languages-frameworks/nodejs/
- http://www.infoworld.com/article/3181432/javascript/safety-in-nodejs-nodesource-to-certify-npm-modules.html
- https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0
- https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/
- https://geekflare.com/nodejs-security-scanner/
- https://developers.redhat.com/blog/2017/04/12/using-snyk-nsp-and-retire-js-to-identify-and-fix-vulnerable-dependencies-in-your-node-js-applications/
- https://github.com/snyk/vulnerabilitydb
- https://nodesource.com/blog/nine-security-tips-to-keep-express-from-getting-pwned/
- https://channel9.msdn.com/coding4fun/blog/Guarding-the-code-with-Package-Security-Alerts-and-Roslyn-Security-Guard
- https://techcrunch.com/2016/10/11/facebook-partners-with-google-others-to-launch-a-new-javascript-package-manager/
- https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/01/17/manage-your-open-source-usage-and-security-in-your-pipeline/
- http://blog.myget.org/post/2016/10/14/Checking-potential-vulnerabilities-in-project-dependencies.aspx
- http://blog.bithound.io/checking-your-npm-dependencies-for-security-vulnerabilities/
- https://www.npmjs.com/package/auditjs
- https://www.npmjs.com/package/urbanjs-tool-nsp
- https://www.npmjs.com/package/run-jst-snyk
- https://www.npmjs.com/package/recink-snyk
- https://www.npmjs.com/package/nsp-audit-package
- https://www.npmjs.com/package/owdit
- https://github.com/nodesecurity/nsp
I'll post an update next week based on what I find to be of practical use from the above list.