Performing a Security Audit for your Github repository
Let me introduce you to WhiteSource Bolt
Open source refers to a project that is accessible by users to share and modify, which prevents software engineers from reinventing the wheel whenever they want to build new features. Just by importing the library with one line of code, the developer’s toolkit gets wider.
Some benefits of using open-source software in development include, but are not limited to, transparency of the code base, faster time for developers to develop new features, and cost-efficiency.
Challenges with Open Source Software
Although there are many benefits of open-source software, there are many challenges that come with it.
In a 2018 article, author Maria Korolov states:
[…] researchers at Flashpoint Intelligence said criminals were using brute-force password attacks against the popular open-source Magento ecommerce platform, leveraging the compromised access to scrape credit card records and install malware focused on cryptocurrency mining.
Although open source makes developing easy and fast, there are many security issues that come with it. There are many reports of password attacks on open source projects like Magento.
When we use open-source projects, we import them to our codebase. Since the code is imported there is no way of them knowing about the malicious code, unless they actively look at the open-source project. Since we often use many open source library projects in our code, it can get impossible to track every single open source project we are using.
Therefore, security is a big problem in open-source projects. We can solve these problems by using software like WhiteSource Bolt.
What is WhiteSource Bolt?
The biggest problem with using open source projects is the possibility of the open-source projects being compromised, which, like a domino, will compromise every project that uses that dependency. WhiteSource Bolt prevents this security issue.
WhiteSource Bolt is a lightweight open source security and management solution, integrated within Microsoft’s Azure DevOps Services & Azure DevOps Server (formerly TFS) products. It enables you to do the following: detect and remedy vulnerable open source components.
WhiteSource is a completely free app. After installing it in Github, it will automatically scan all your repos every time the developer pushes code and will open an issue for vulnerable open source library dependencies. Their free version does five scans a day to the private or public repository and supports over 200 programming languages. If WhiteSource sees any issues with the open source library, it automatically opens an issue, with reference links, vulnerability information, and suggested fixes.
Set-up WhiteSource Bolt in Github
Step 1: Download the Github App
First, just like downloading any other Github app, click on the “Marketplace” tab in the navigation bar on Github.com. Next, inside the search field, type “WhiteSource Bolt”. You should get a couple of options. Click on WhiteSource Bolt. You will be led to the application page.
When you get to the application page, scroll to the bottom and click on “Install it for free”.
After you click on “Install it for free”, you will be led to the following page:
Screenshot from Github
By default, WhiteSource will install in all your current and future repositories. If you want more control over the repositories, you want to download them too, you can pre-select the projects you want to monitor by clicking on “only select repositories” and pick the repositories you want to download WhiteSource to.
Step 2: Register for a WhiteSource Account
After you click “Install” you will reach a page where you can register for a WhiteSource account, which looks like so:
Screenshot of WhiteSource Registration Page
Just enter your name and email and congratulations, you are done installing the WhiteSource Github App!
Screenshot of the success page
Run WhiteSource Tests
After you activate WhiteSource Bolt for Github, you will receive a pull request in all of the repositories you selected to run tests on. The pull request will have documentation of expectations and a .whitesource configuration file. The pull request will look like the following screenshot:
Screenshot of the Pull Request Screen
This pull request will add the `.whitesource` configuration file, which will look like the following JSON:
{ “scanSettings”: { “baseBranches”: [] }, “checkRunSettings”: { “vulnerableCheckRunConclusionLevel”: “failure”, “displayMode”: “diff” }, “issueSettings”: { “minSeverityLevel”: “LOW” }}
After this file is imported, anytime a branch is merged, WhiteSource will scan the repo and automatically open issues in the issue tab.
Last summer, I created a playground repo. I was using it as practice for an internship last summer to get familiar with Github. I decided to install WhiteSource to that repo. After installation, I merged in a branch where I added the started bootstrap template. I decided that the bootstrap template will be a good starting point because many companies and individuals use it. After I merged in my branch, within a couple of minutes, I opened the issues tab to see one issue that WhiteSource detected in my repo after importing the bootstrap template.
The issue was labeled as a “security vulnerability”. When I clicked on the issue, it was labeled as a Medium Security Vulnerability. It told me exactly which library the issue was coming from, (jquery-3.2.1.slim.min.js). It provided me details about the vulnerability as follows:
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources — even after sanitizing it — to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020–04–29
WhiteSource gave me suggested ways to fix the issue. It even graded the vulnerability to allow the developer to determine if it’s a priority or not!
After installation, WhiteSource automatically tells me everything I need to know about the open-source libraries that I am doing. It categorizes, opens issues, provides details of the issues, and gives suggestions! WhiteSource is like having a really experienced developer on your team, that works 24/7 and always knows the right answer.
In this day and age, everyone uses an open-source library in their code. We can deploy code faster and faster using open-source libraries. However, we need to be careful and on the lookout for security issues that these open source dependencies might inject into our codebase.
