Add security vulnerability checking

[watzon]

GitHub announced some new security features today which, as far as I understand, are language agnostic in their execution for the most part. One of those is the ability for maintainers of a project to work on security vulnerabilities in a private environment and then notify the community of that vulnerability once it's patched.

They said that they'll be opening an API which would allow you to check if a particular dependency has any security vulnerabilities, and it would be amazing if we could integrate that functionality directly into shards (in a similar way to how npm warns of vulnerabilities) possibly with the ability to automatically fix the vulnerabilities by patching the shard.yml file.

I don't know if the API is available quite yet, but I figured it would be good to have a discussion about this since security should be top priority for everyone.

[ysbaddaden]

It would be nice to have a security command, and printing warning messages on install, yes. The GitHub API is in preview (RepositoryVulnerabilityAlert in the GraphQL v4 API).

If someone wants to play with this.

[miketheman]

I've been poking at the preview API, and it's not exactly responding in a manner that I expect.

From what I gather, a repo owner must enable data access for GitHub to scrape dependencies first, which can alert a repo owner of packages used in their repo may contain published vulnerabilities.

Do we know if GitHub is checking shards.yml files yet? It doesn't appear so from their current ecosystem list.

The results of these alerts are private to the repo owner.

A repo may also elect to publish a public-facing security advisory (in beta) - and this is likely the API that shards ought to look at when evaluating versions.
However, I don't yet know how these advisories turn up in a public API.

[bcardiff]

I tried to contact GitHub in the past regarding the detection of dependencies, but I failed to get an answer whether there is something on our end we can do to get that feature.

[Sija]

@bcardiff I did that too, with no followup so far.

[watzon]

@bcardiff @Sija I'm pretty sure they use dependabot, which is open source. Someone could open a PR for Crystal support.

[ysbaddaden]

A project owner (may a collaborator too) can create draft advisories from the Security pane, allowing to discuss and work in private on a fix, then, you can publish it. Once publicly available, we should be able to list it using RepositoryVulnerabilityAlert from the GraphQL API.

Now, this is nice, but it's for sending GitHub notifications, and having some history of advisories. It doesn't seem to have a template for affected versions, so it's not meant for automated analysis by a tool as discussed here (notify security issues on install). We could require a template, or an embedded YAML in the advisory, but that's kinda error prone.

[didactic-drunk]

What about non-github repos? Or malware repos that don't willingly report? Or repos that depend on malware repos that the author no longer maintains?

[rishavs]

@paulcsmith of the Lucky Framework is now working in GitHub. maybe he will have some know how to help move this along.

[PercussiveElbow]

This is an something important to implement - but I think checking for vulns should also have a vendor independent solution too, rather than just relying completely on a GitHub feature.

I know other languages have advisory DBs (ruby-advisory-db, Python's safety-db). Could we consider something similar in addition to Github's own service? I'd imagine a system like NPM's advisory service is probably out of the question given shards aren't hosted in a centralised location.

[ghost]

@PercussiveElbow i've wanted to work on an advisory db for a while, and i've finally got some downtime. i think i've got some solutions for the lack of a centralized repository, i'll start working on a proof of concept and update here if i get somewhere

[straight-shoota]

There's no need for a centralized registry to track vulnerabilities. It might actually be even better to have an advisory db separate from package discovery. Essentially, such a db is just a list which references packages and affected versions. That totally works without a registry. It just needs to use the established reference mechanism already used for shards.

The requirements of an advisorydb are in no way specific to the shards ecosystem. So there's no need for a tailored solution to track vulnerabilities. So I see great potential for relying on something that already exists. I'm not much familiar which options are available. But taking a look at how this is setup for other dependency ecosystems should give a good understandig. Maybe we can just use https://github.com/rubysec/ruby-advisory-db or something similar (perhaps requires a few modifications). A multi-purpose database like https://snyk.io/vuln may also be an option.

I'd be happy to integrate information from an advisory database into https://shardbox.org.