What are Traverse Dependency Vulnerabilities?
What are they, and how to fix them
A dependency is a package reference used by the project without which it cannot work. We can install these packages by using npm install <package name> or yarn install <package name>. These packages, in turn, install the dependent packages that they require to work correctly, and a tree is built known as a dependency tree or, in other words, traverse dependency.
For example, say a project uses Axios for API calls. After installation, the yarn.lock/package.lock file will look something as below:
In the above example, there is one dependencies section that specifies all the dependencies with their details required by the Axios package; in this case, it is only one "form-data".
What are vulnerabilities in dependencies?
Vulnerabilities are flaws in a computer system that compromise the system's security. Vulnerabilities can be weaknesses in the hardware or the software that runs on it.
For the project, once the npm install completes the vulnerabilities are being identified. For example, while installing the "react-scripts" package, you get the below vulnerability.
The above example shows that once the package is installed, it tells you that one high-severity vulnerability is found.
It also tells you how to find the details of the vulnerability and how we can fix the same. Let's see the details of the vulnerability by running the npm audit command.
The audit security report gives us the details of all the vulnerabilities. For each vulnerability, it gives the following details:
- Severity
- The package that caused the issue
- The version where this vulnerability existed
- The vulnerability is dependent on which package.
- Vulnerability path
This is one way of finding vulnerabilities and is pretty straightforward, but it doesn't always give exact results. Many other tools can help us find these vulnerabilities with better details about the vulnerability. One such tool is Mend.
What is Mend?
Mend (formerly WhiteSource) is open-source software security and compliance management that integrates into your build process. It works in the background, checking your open-source components' security, licensing, and quality. Please refer for more insights on Mend.
If we integrate Mend, we can get the vulnerabilities report after every build, bifurcating them into high, medium, and low, which will help us find the vulnerabilities and fixes. Below is an example of a Mend scan report:
It gives the below details of each vulnerability:
- Its severity & when it is being introduced.
- The library/package that caused that.
- Its description.
- The exact fix that will resolve the vulnerability.
In the end, when finding the vulnerabilities, Mend is way more efficient than npm audit, as it will run after every build vs. npm audit where we have to do it from time to time to keep a check on vulnerabilities manually.
Coming to the Fix…
Till now, we have seen different ways of finding these vulnerabilities. Now let's focus on the solution to fix them.
We will use the Mend example here, as it gives the vulnerability fix details in the report itself.
In the above image, the report tells us that we have a high vulnerability caused by the jetty-util-9.2.12 package. It also describes the vulnerability; at last, it gives us the fix: if we upgrade the package, the vulnerability will be fixed.
Now we understand the fix, but how to do that?
We can fix that in straightforward steps; we must add the above-upgraded package to the resolutions object of package.json, as shown below. Then, we can simply run npm install or yarn install.
⚠️ Disclaimer
This will work fine for yarn, but for npm, we have also to add preinstall script to force resolutions (https://www.npmjs.com/package/npm-force-resolutions) before running npm install
To verify if the package is updated, check your package-lock or yarn-lock and search for the package. You will see the package will be updated with the version specified. You should always test your application after putting this fix in the project to avoid breaking changes. Once you have verified your application, this vulnerability should be resolved with the next build and should not appear in the scan report.
Conclusion
In all, vulnerabilities are not difficult to find and resolve, but if left unchecked, they can lead to severe issues and malicious attacks. And in today's world, after so many cyber-security attacks, many organizations have made it mandatory to have vulnerability checks. Still, if one cannot fix these vulnerabilities, one should either re-evaluate the packages causing vulnerabilities or use an alternative or upgraded package free of vulnerabilities.
