Easy Ways to Eliminate Vulnerabilities in your Repository

There’s a rise of vulnerability tools lately and since I’ve never fiddled around with it I was wondering what’s up with it. Now seems like a good opportunity to check it out.

You have probably seen these alerts in your repositories on GitHub lately (and most probably you’ve ignored them the whole time):

To be frank, I never paid attention to these until I looked into the alerts for one of my university projects — and surprise, surprise: GitHub recommends to update one of the core packages:

Looking further, I noticed that it offers more hidden gems — you can even open up a security advisory and privately discuss vulnerabilities with your collaborators.

That got me curious; so I’ve wanted to explore. In this article, we are going to compare some various tools and see how they get their job done.

GitHub’s Vulnerability Alerts

GitHub maintains a database full of known vulnerabilities¹.

The way it works is that GitHub is constantly checking for your dependency manifest files every time you push to your repository. A background task checks whether or not the dependency is already known, and if not, it will add it to the dependency graph and gather more information that is associated with the specific package. You can read more about that on their blog if you like to.

Here’s a quick TL;DR: A machine learning model determines whether or not there are known vulnerabilities and if it’s impacting the open-source toolchain. If that’s the case, GitHub manually reviews it before it’s submitted to their database. Afterward, a bot creates alerts and pull requests for all affected repositories (just think about the load for every affected project that uses popular libraries — devastating).

Okay, that’s for the basics of GitHub’s Vulnerability Alerts. Let’s see how we can use it from a dev’s perspective. If we hit the Security tab on our repository’s page we can select a vulnerability and create an automated resolution. This will summon the almighty dependeabot that creates a new pull request as elaborated above. dependabot was used to be offered as a separate third-party product but it has been acquired by GitHub and is now free of charge. It supports several languages, plus it’s possible to configure its behavior manually.

Within the PR’s commits above, we can spot the updated dependency in the manifest file. All that’s left to do is to hit the merge button. And we’re done.

Bolt & Renovate

Since GitHub is collaborating with WhiteSource I was wondering what else they are offering. Seems like they are offering standalone tools that are independent of GitHub’s ecosystem. This is great, especially for companies that are working with Azure DevOps, GitLab, Bitbucket, you name it, instead of GitHub.

So let’s give it a shot.

WhiteSource has two different tools, Bolt and Renovate.

• Bolt finds and fixes open source vulnerabilities based on their database similar to what GitHub does.
• Renovate keeps your dependencies up-to-date and creates pull requests rich with changelogs & commit histories.

Seems like both tools are a great addition to any DevOps workload.

I added Bolt to one of my on-going university projects and shortly afterward it has created a few issues. All of them are labeled as security vulnerabilities. If we click on one of them, we will spot more details and even references to the vulnerability.

Furthermore, we can even choose to enable Bolt as a status check in our project’s branch policies. This way we can ensure that it will check for vulnerabilities whenever we merge into the protected branch. Quite nifty.

Okay, so, on the one hand, Bolt scans, notifies us about vulnerabilities and creates a pull request that fixes it. On the other, Renovate keeps dependencies up-to-date like dependabot, regardless of whether or not it’s about a security vulnerability.

Renovate opens a pull request just like Bolt that adds a file with the initial configuration. After the successful merge, the first bunch of actual pull requests rolls in. In here, the bot lists all updated dependencies and suggests to update them.

Pretty cool. Guess that’s one way to automate dependency updates so you don’t need to anymore™.

Verdict

• dependabot looks great as a simple drop-in solution that doesn’t require further customization. It’s neatly integrated into GitHub since it was acquired — everything is there at a glance. In my opinion, this is a great tool for popular open-source projects that must stay healthy without potential vulnerabilities.
• WhiteSource’s own set of tools is also great and isn’t limited to GitHub. I use Azure DevOps for some of my private projects and at work. Next to third-party support, it’s possible to self host their tools as an npm package or Docker image. I could think of it as a neat addition that updates my dependencies without my intervention because often it’s just a pain in the butt to go through the update process right in the middle of development (glares at Angular). Bolt and Renovate also convince with their deep customization options.

In regards to Bolt and Renovate — I like the distinct separation of fixing open source vulnerabilities and updating dependencies just to keep them recent — it doesn’t do both at the same time, but it plays well together if that’s how you want to roll. That makes it comfortable.

I hope I could offer a glimpse look at how you can counteract against vulnerabilities with ease. You might want to consider to use these tools for your heavy-duty projects since it’s easy as 123 once you know how it works and what it does. There’s nothing more repetitive (and annoying) than manual dependency updates. Please feel free to share your ideas and thoughts with me.