|
| 1 | +--- |
| 2 | +title: Finding and fixing your first dependency vulnerability |
| 3 | +shortTitle: Secure your dependencies |
| 4 | +intro: 'Learn how to keep your dependencies secure by enabling {% data variables.product.prodname_dependabot %} and its features in a demo repository.' |
| 5 | +versions: |
| 6 | + fpt: '*' |
| 7 | +topics: |
| 8 | + - Code Security |
| 9 | + - Dependabot |
| 10 | + - Dependencies |
| 11 | + - Alerts |
| 12 | +--- |
| 13 | + |
| 14 | +Using pre-written collections of code in your project, called **libraries** or **packages**, is common practice. These code modules save you a ton of time, letting you focus on the new, creative aspects of your work instead of coding large reusable components from scratch. When added to your project, they are called **dependencies**, since your work is dependent on the code they contain. |
| 15 | + |
| 16 | +While using dependencies is perfectly normal, dependencies can contain code vulnerabilities, which would in turn make your project insecure. Luckily, tools like {% data variables.product.prodname_dependabot %} can find dependency vulnerabilities, raise pull requests to fix them, and even prevent them from happening in the future. In this tutorial, you'll learn how to enable and use {% data variables.product.prodname_dependabot %} and its features to keep your dependencies secure. |
| 17 | + |
| 18 | +## Setting up the demo repository |
| 19 | + |
| 20 | +Let's get started by forking a demo project with some dependency vulnerabilities. Since we won't deploy the project, there is **no security risk** in this exercise. |
| 21 | + |
| 22 | +1. Navigate to the [`new2code/dependabot-demo`](https://github.com/new2code/dependabot-demo) repository. |
| 23 | +1. In the top right of the page, click {% octicon "repo-forked" aria-hidden="true" %} **Fork**. |
| 24 | +1. On the page that appears, click **Create fork**. |
| 25 | + |
| 26 | +## Enabling dependency security features |
| 27 | + |
| 28 | +Now that we've set up the project, let's configure {% data variables.product.prodname_dependabot %} to find and create fixes for insecure dependencies. |
| 29 | + |
| 30 | +1. In the navigation bar for your repository, click {% octicon "shield" aria-hidden="true" %} **Security**. |
| 31 | +1. In the "{% data variables.product.prodname_dependabot_alerts %}" row, click **Enable {% data variables.product.prodname_dependabot_alerts %}**. |
| 32 | +1. In the "{% data variables.product.prodname_dependabot %}" section, next to "{% data variables.product.prodname_dependabot_alerts %}", click **Enable**. |
| 33 | +1. In the pop up that appears, read the statement about enabling the dependency graph, then click **Enable**. |
| 34 | +1. To allow {% data variables.product.prodname_dependabot %} to automatically open pull requests fixing dependency vulnerabilities, next to "{% data variables.product.prodname_dependabot_security_updates %}", click **Enable**. |
| 35 | + |
| 36 | +## Viewing your insecure dependencies |
| 37 | + |
| 38 | +With {% data variables.product.prodname_dependabot %} configured, let's find out which of our dependencies contain vulnerabilities. |
| 39 | + |
| 40 | +1. In the navigation bar for your repository, click {% octicon "shield" aria-hidden="true" %} **Security**. |
| 41 | +1. To see the {% data variables.product.prodname_dependabot_alerts %} for your repository, in the side navigation, click {% octicon "dependabot" aria-hidden="true" %} **{% data variables.product.prodname_dependabot %}**. |
| 42 | +1. To see detailed information about an alert, click the alert title. For this exercise, click **Command Injection in hot-formula-parser**. |
| 43 | + |
| 44 | +## Understanding a Dependabot alert |
| 45 | + |
| 46 | +Now that {% data variables.product.prodname_dependabot %} has identified some vulnerabilities in our dependencies, let's break down the information provided in the "Command Injection in hot-formula-parser" alert. |
| 47 | + |
| 48 | +### Fix summary |
| 49 | + |
| 50 | +Below the title of the alert, you can see a short summary of the **fix** for this vulnerability, including the number of alerts it will close and the location of the vulnerability. In our case, the alert tells us that upgrading the `hot-formula-parser` package to version 3.0.1 will fix one {% data variables.product.prodname_dependabot %} alert identified in our `javascript/package-lock.json` file. |
| 51 | + |
| 52 | +This section also tracks {% data variables.product.prodname_dependabot %}'s progress creating a pull request to fix the vulnerability. Once a fix is available, you'll see a button labeled "{% octicon "dependabot" aria-hidden="true" %} Review security update" linking to the pull request. |
| 53 | + |
| 54 | + |
| 55 | + |
| 56 | +### Vulnerability details |
| 57 | + |
| 58 | +Below the fix details, {% data variables.product.prodname_dependabot %} provides more information about the vulnerability, including: |
| 59 | + |
| 60 | +* The name of the vulnerable package |
| 61 | +* The versions of the package that contain the vulnerability |
| 62 | +* The version of the package that fixes the vulnerability |
| 63 | +* Details on the type of vulnerability and how it can be exploited |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +In this alert, we can see that the `parse` function in the `hot-formula-parser` package doesn't properly check that user input is safe before executing it, which allows attackers to run malicious commands. |
| 68 | + |
| 69 | +> [!TIP] If you don't fully understand the vulnerability details, try [asking {% data variables.copilot.copilot_chat_short %}](https://github.com/copilot) to explain them. |
| 70 | +
|
| 71 | +### Timeline |
| 72 | + |
| 73 | +Finally, you can see the timeline of the alert at the bottom of the page. Our timeline currently contains the timestamp when {% data variables.product.prodname_dependabot %} opened the alert, and will be updated automatically when we fix the vulnerability. |
| 74 | + |
| 75 | + |
| 76 | + |
| 77 | +## Securing your dependencies |
| 78 | + |
| 79 | +To secure our project quickly and easily, let's apply the fix {% data variables.product.prodname_dependabot %} created. |
| 80 | + |
| 81 | +1. In the alert field with the fix summary, click {% octicon "dependabot" aria-hidden="true" %} **Review security update**. |
| 82 | +1. On the pull request page, click {% octicon "file-diff" aria-hidden="true" %} **Files changed** to see {% data variables.product.prodname_dependabot %}'s changes. After you review the changes, click {% octicon "comment-discussion" aria-hidden="true" %} **Conversation** to return to the pull request overview. |
| 83 | +1. To apply the fix, at the bottom of the page, click **Merge pull request**, then click **Confirm merge**. |
| 84 | + |
| 85 | + Once the pull request merges, the linked {% data variables.product.prodname_dependabot %} alert will close automatically, and the fix time will be added to the timeline. |
| 86 | + |
| 87 | +## Preventing future dependency vulnerabilities |
| 88 | + |
| 89 | +To help avoid insecure dependencies moving forward, let's allow {% data variables.product.prodname_dependabot %} to automatically open pull requests updating your dependencies as new versions are released. |
| 90 | + |
| 91 | +1. In the navigation bar for your repository, click {% octicon "gear" aria-hidden="true" %} **Settings**. |
| 92 | +1. In the "Security" section of the sidebar, click {% octicon "codescan" aria-hidden="true" %} **{% data variables.product.prodname_AS %}**. |
| 93 | +1. Next to "{% data variables.product.prodname_dependabot_version_updates %}", click **Enable**. |
| 94 | + |
| 95 | +## Next steps |
| 96 | + |
| 97 | +Now that you've tried out {% data variables.product.prodname_dependabot %} and its features on a demo repository, **enable them on your own projects** to easily find, fix, and prevent dependency vulnerabilities. |
0 commit comments