How to Avoid Vulnerabilities in Open Source Components

A lot of malware is coded into open-source software components for developers to download and get trapped by the hacker. A common mid-level developer has little to no knowledge of security checking in open source software components, and that's how most of the attacks are carried out.

To solve this problem, developers can use browser extensions to check any security issues in open source components before they download them. This allows the developer to see a snapshot of the security status of the component they're about to download from any versioning tool.

The Chrome extension of WhiteSource's Browser Integration, also known as WhiteSource Advise, is designed to quickly identify open source packages on web pages such as Stack Overflow, Maven Central, and more.

The Chrome extension for the WhiteSource Browser Integration allows its users to view important details by just clicking on an icon in the extension bar and decide whether or not to add a new component. Those details can include quality scores and known vulnerabilities and if your organization is currently using the component.

It affects the overall performance of the team to a great degree because they won't have to go through costly tear and replace ops at the time of a release deadline.

Analysis Metrics

Here's what information regarding the component is provided by the extension after it scans and detects the component references.

  1. Version: Checks and notifies you if there is a newer version.
  2. License: Checks and identifies if the component is licensed.
  3. Policy Violations: Checks and notifies if the component meets the policy of the organization as the company policy is configured into the WhiteSource Account.
  4. Projects: Checks and displays the number of occurrences for this component being used in other projects by the same organization.
  5. Vulnerabilities: A shield icon for each vulnerability while its color describes the severity of that vulnerability.
  6. Quality: A quality score based on the number of commits and version releases, etc.

Here's an example of how the panel looks like after an analysis.

Installing WhiteSource Advise

The administrators for the WhiteSource accounts are required to go to the Admin panel and click the Advise for Chrome Management. It will display a relevant screen, which will have an option titled, Add Users by Email.

Click and add those emails which you want to invite. They will each receive an email link to start with the guide and the process of installation. Make sure that each email is entered on a separate line.

Even though it's a paid package, it comes with a free trial that includes unlimited reports and full access to all features. The WhiteSource Team also provides free technical support during your trial period.

Activating WhiteSource Advise

Once you're a WhiteSource user, after following the method described above, you can activate the WhiteSource Advise extension from your profile page without having an administrator send you an invite. All you have to do is go to the profile page and the Advise for Chrome link to navigate to the respective panel.

Click the Advise for Chrome link to activate the extension for your browser. If you have a multi-organizational account, click the link for the relevant organization, the one which you want to activate it for. At this point, Chrome will ask you to confirm that you want to add this extension to chrome, to which you respond as positive and that's it.

Now your extension is activated. You can always deactivate it by clicking the deactivate button provided by the WhiteSource panel.

The WhiteSource Extension allows developers to scan any webpage for open-source package installation references by clicking on the extension icon in the browser.

The extension supports several programming languages including Java, Scala (SBT), .NET, JavaScript, Ruby, Python, Go, PHP, Rust, Haskell, and OCaml. The extension looks for the following text patterns in the languages given below.

Python

RAW

Ruby

Either of the ones provided below.

RAW

Node.js

RAW

Nuget

Either of the ones provided below.

RAW

Java

Either of the ones provided below.

RAW

Go

RAW

PHP

Either of the ones provided below.

RAW

Rust

Either of the ones provided below.

RAW

Haskell

Either of the ones provided below.

  • Legacy

RAW

  • Version 2

RAW

OCaml

Either of the ones provided below.

RAW

The extension allows developers to work not only in a boosted environment but also helps the organization save a good amount of time and money, by letting developers and teams analyze an open-source package for its security by themselves. This reduces the responsibilities of a security specialist as well.

Using a browser extension also allows users to develop better software in less time by harnessing the power of open-source software packages while keeping security in mind.

No Comments Yet