2017-07-11 Tuesday - JavaScript Security/Audit/Vulnerability Checks

So, quite often, I have need to analyze a massively long list of JavaScript modules that are used in a vendor's solution, when I'm providing Enterprise Architecture oversight and assessment during the vendor evaluation phase of client RFP efforts.

To provide some confidence that there are no lurking serious security concerns with any of the JavaScript modules used in the vendor solution (and equally important - to identify those that are at, or beyond, end-of-life) - I would like to find a tool that would allow me to submit a file with the list of module names (with version numbers) - via a command line tool - and receive back some form of a report/analysis - identifying which ones may pose a high risk.

This posting is a placeholder for tools that I find that might be of utility in this effort - and hopefully of use to some future reader.

First, a quick survey of a Google search to help identify initial problem/solution domain articles to review:

• https://documentation.codeship.com/basic/languages-frameworks/nodejs/
• http://www.infoworld.com/article/3181432/javascript/safety-in-nodejs-nodesource-to-certify-npm-modules.html
• https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0
• https://blog.risingstack.com/controlling-node-js-security-risk-npm-dependencies/
• https://geekflare.com/nodejs-security-scanner/
• https://developers.redhat.com/blog/2017/04/12/using-snyk-nsp-and-retire-js-to-identify-and-fix-vulnerable-dependencies-in-your-node-js-applications/
• https://www.npmjs.com/package/snyk
• https://github.com/snyk/vulnerabilitydb
• https://nodesource.com/blog/nine-security-tips-to-keep-express-from-getting-pwned/
• https://channel9.msdn.com/coding4fun/blog/Guarding-the-code-with-Package-Security-Alerts-and-Roslyn-Security-Guard
• https://techcrunch.com/2016/10/11/facebook-partners-with-google-others-to-launch-a-new-javascript-package-manager/
• https://blogs.msdn.microsoft.com/visualstudioalmrangers/2017/01/17/manage-your-open-source-usage-and-security-in-your-pipeline/
• http://blog.myget.org/post/2016/10/14/Checking-potential-vulnerabilities-in-project-dependencies.aspx
• http://blog.bithound.io/checking-your-npm-dependencies-for-security-vulnerabilities/
• https://www.npmjs.com/package/auditjs
• https://www.npmjs.com/package/urbanjs-tool-nsp
• https://github.com/urbanjs/urbanjs-tools
• https://www.npmjs.com/package/urbanjs-tool-retire
• https://www.npmjs.com/package/run-jst-snyk
• https://www.npmjs.com/package/recink-snyk
• https://www.npmjs.com/package/nsp-audit-package
• https://www.npmjs.com/package/owdit
• https://github.com/nodesecurity/nsp

I'll post an update next week based on what I find to be of practical use from the above list.