Announcing NodeSecure Vulnera

Logo and cover by our beloved medhi bouchard

Hello ,

Back for a little article about the rebranding of one of the NodeSecure tools: Vulnera (previously vuln, the vuln-era has begun!).

An opportunity for me to also write about this wonderful project that was born with the redesign of the back-end less than a year ago . If you don't remember I wrote an article:

Announcing new Node-Secure back-end

Thomas.G Sep 11 '21 4 min read

#node #javascript #security

Don't wait and dive in with me to discover this tool .

What is Vulnera ?

Vulnera is a package that allows you to programmatically fetch your Node.js project vulnerabilities from multiple sources or strategies:

• NPM Audit (Github Advisory Database)
• Sonatype OSS Index
• deprecated Node.js Security WG Database
• Snyk

Feel free to push new sources (we have a guide on how to add/contribute one).

The code was originally designed for vulnerability management within the Scanner. Yet, its API is evolving with the objective of making it a full-fledged project.

import * as vulnera from "@nodesecure/vulnera";const def = await vulnera.setStrategy(  vulnera.strategies.NPM_AUDIT);const vulnerabilities = await def.getVulnerabilities(process.cwd(), {  useStandardFormat: true});console.log(vulnerabilities);

Standard vulnerability format

We have created a standard format to reconcile the different sources.

export interface StandardVulnerability {  /** Unique identifier for the vulnerability **/  id?: string;  /** Vulnerability origin, either Snyk, NPM or NodeSWG **/  origin: Origin;  /** Package associated with the vulnerability **/  package: string;  /** Vulnerability title **/  title: string;  /** Vulnerability description **/  description?: string;  /** Vulnerability link references on origin's website **/  url?: string;  /** Vulnerability severity levels given the strategy **/  severity?: Severity;  /** Common Vulnerabilities and Exposures dictionary */  cves?: string[];  /** Common Vulnerability Scoring System (CVSS) **/  cvssVector?: string;  /** CVSS Score **/  cvssScore?: number;  /** The range of vulnerable versions */  vulnerableRanges: string[];  /** The set of versions that are vulnerable **/  vulnerableVersions: string[];  /** The set of versions that are patched **/  patchedVersions?: string;  /** Overview of available patches **/  patches?: Patch[];}

You can always use the original formats of each source of course . We have implemented and exposed TypeScript interfaces for each of them.

Usage in Scanner

On the scanner we have all the necessary information because we go through the dependency tree . At the end of the process, we recover all vulnerabilities by iterating spec by spec within the hydratePayloadDependencies strategy method.

const {  hydratePayloadDependencies,  strategy} = await vulnera.setStrategy(  userStrategyName // SNYK for example);await hydratePayloadDependencies(dependencies, {  useStandardFormat: true,  path: location});payload.vulnerabilityStrategy = strategy;

The following diagram explains the overall behavior and interactions between the Scanner and Vulnera.

If you want to learn more about the Payload you can check the TypeScript interface here.

What's next ?

Some sources are more difficult to exploit than others (for NPM we use Arborist which simplifies our lives).

const { vulnerabilities } = (await arborist.audit()).toJSON();

However, we have to think and create mechanics to exploit sources like Sonatype . This is required for API like getVulnerabilities().

Among the major subjects and ideas we are working on:

• Create a private database to benchmark the sources between them (see #29).
• Merging multiple sources in one (see #25).
• Fetch vulnerabilities of a given remote package (with support for private registry like verdaccio). At the moment we only support the analysis of a local manifest or a payload of the scanner.

Credits

This project owes much to our core collaborator Antoine COULON who invested a lot of energy to improve it .

Fun fact: its first contribution on NodeSecure was also on the old version of the code Scanner that managed vulnerabilities.

But I don't forget individual contributions

• Mathieu Kahlaoui for adding the getVulnerabilities() API
• Oleh Sych for adding Snyk strategy
• Medhi for his work on the logo

$ npm i @nodesecure/vulnera# or$ yarn add @nodesecure/vulnera

import * as vulnera from "@nodesecure/vulnera";// Default strategy is currently "none".await vulnera.setStrategy(vulnera.strategies.NPM_AUDIT);const definition = await vulnera.getStrategy();console.log(definition.strategy);const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {  useStandardFormat: true});console.log(vulnerabilities);

Thanks for reading me and see you soon for another article!