[Owasp-leaders] NuGet and OWASP Top10 2013 A9

Jeremy Long jeremy.long at owasp.org
Tue Jun 18 00:20:44 UTC 2013


On the Java side I have built dependency-check (
https://github.com/jeremylong/DependencyCheck). The way this tool works is
that it collects "evidence" from the JAR files it scans. The evidence would
be things such as information from the pom.xml or manifest, package names,
the file name itself, etc. It then uses this information to query a local
copy of the CPE data from the NVD CVE data feeds. If it identifies a
library (such as Apache Struts 1.2.8 -> cpe:/a:apache:struts:1.2.8) it
would generate a report of the known CVE entries.

I've been considering how to scan .NET DLLs, and while I have a plan - I
haven't had the time to work on the JNI calls that would be required to
make this happen. If anyone is interested in helping out, it might be
possible to use dependency-check to scan the entire Nuget repo and use any
identified issues to populate the SafeNuGet database (if there are any DLLs
with published CVE entries).

When looking at the scanning Java dependencies I decided against keeping a
stored list of libraries based off of things like Hash codes because open
source projects will often get re-compiled and the hash codes will no
longer match (however, Victims <https://github.com/victims> uses an
interesting approach to hash matching). I went with attempting to detect
what the CPE for a JAR file is and then looking up the vulnerabilities from
that.

The reason I didn't go the route of trying to get project owners to
disclose the vulnerabilities is because - as a developer if I find a
vulnerability in code I am maintaining - what am I most likely to do? Fix
the code and report it out to the world with a new CVE? Probably not, the
most likely scenario is that I'm going to fix the code, commit it, and
continue coding.

The reason I didn't go the route of reading the commit logs/release notes
of projects is - well there are a ton of them. In my opinion unless you
have a company supporting this effort this becomes a somewhat unsustainable
effort (IMHO).

I would love to help with anything I can do to help get detection of
vulnerable libraries for .NET.

--Jeremy

PS - there will be a very big release of dependency-check at the BlackHat
Arsenal in Vegas at the end of July.


On Mon, Jun 17, 2013 at 2:57 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no>wrote:

>   The repo has now been moved to https://github.com/OWASP/SafeNuGet
>
>  The most important quality aspect of this project is to keep the feed up
> to date. This means two things:
>
>    - Looking through (googling) NuGet package descriptions and web sites
>    for security issues.
>    - Reaching out to maintainers of NuGet packages and ask them to help
>    us by letting us know when vulnerabilities have been discovered and patched
>    in their packages.
>
> Other than that improving on the MSBuild plugin, is next on the list. I
> will migrate the suggested enhancements (under "issues") from the old repo.
> You can both submit code and suggest improvements there.
>
>  I will also talk to Samantha about setting this up as an OWASP project.
>
>  Jason and Michael: Welcome aboard
>
>  Best regards,
> Erlend
>
>
>   From: Michael Hidalgo <michael.hidalgo at owasp.org>
> Date: Monday, 17 June, 2013 17:44
> To: Jason Johnson <jason.johnson at owasp.org>
> Cc: Erlend Oftedal <erlend.oftedal at bekk.no>, "
> owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
> Subject: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9
>
>   Hi guys,
> That is an interesting approach and I would like to get involved too.
>
>
>
> On Mon, Jun 17, 2013 at 8:10 AM, Jason Johnson <jason.johnson at owasp.org>wrote:
>
>> Can I please help with this? Are you planning on building a repo? Forgive
>> me for not reading your posts but this is big. I am willing to help you
>> anyway I can if you need server space or anything.
>>
>> Jason
>>   On Jun 17, 2013 9:37 AM, "Jason Johnson" <jason.johnson at owasp.org>
>> wrote:
>>
>>> Im interested in this also. I think its a big deal if we use bad
>>> packages.
>>> On Jun 17, 2013 9:30 AM, "Erlend Oftedal" <Erlend.Oftedal at bekk.no>
>>> wrote:
>>>
>>>>  Great stuff, Dinis. I'll move the it over to the OWASP repo.
>>>>
>>>> Erlend
>>>>
>>>> Sendt fra min telefon
>>>>  ------------------------------
>>>> Fra: Dinis Cruz <dinis.cruz at owasp.org>
>>>> Sendt: 17.06.2013 10:52
>>>> Til: owasp-leaders at lists.owasp.org
>>>> Emne: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9
>>>>
>>>>  Absolutely, this type of NuGet packages security mapping is something
>>>> that is really needed, and I really worry about lack of security info that
>>>> is available for NuGet packages.
>>>>
>>>>  Btw, we should move the https://github.com/eoftedal/SafeNuGet into
>>>> the OWASP GitHub repo, just like we did for
>>>> https://github.com/OWASP/WebGoat.NET  (I added an issue about it<https://github.com/eoftedal/SafeNuGet/issues/7>
>>>> )
>>>>
>>>>  Also, have you seen my posts on NuGet? Namely how I downloaded the
>>>> entire NuGet database? (which we could use to create the mappings to add to
>>>> the SafeNuGet database):
>>>>
>>>>    - Offline copy of the entire NuGet.org gallery. What should I do
>>>>    with these 4.05 Gbs of amazing .Net Apps/APIs?<http://blog.diniscruz.com/2013/05/offline-copy-of-entire-nugetorg-gallery.html>
>>>>    - Consuming NuGet programmatically outside VisualStudio
>>>>    (downloading the list of packages)<http://blog.diniscruz.com/2013/05/consuming-nuget-programmatically.html>
>>>>    - Retrieving NuGet package programatically using NuGet.exe classes
>>>>    (not command line)<http://blog.diniscruz.com/2013/05/retrieving-nuget-package.html>
>>>>    - Saving the entire list of NuGet Packages<http://blog.diniscruz.com/2013/05/saving-entire-list-of-nuget-packages.html>
>>>>    - Downloading the entire NuGet package database<http://blog.diniscruz.com/2013/05/downloading-entire-nuget-package.html>
>>>>
>>>>
>>>> Dinis Cruz
>>>>
>>>>
>>>> Dinis Cruz
>>>>
>>>> Blog: http://diniscruz.blogspot.com
>>>> Twitter: http://twitter.com/DinisCruz
>>>> Web: http://www.owasp.org/index.php/O2
>>>>
>>>>
>>>> On 17 June 2013 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no> wrote:
>>>>
>>>>>   Hi
>>>>>
>>>>>  I recently published a tool to warn about the use of insecure NuGet
>>>>> libraries (in the .NET world).
>>>>> You can find the info at: http://erlend.oftedal.no/blog/?blogid=138
>>>>>
>>>>>  If successful, maybe it could be a new OWASP project.
>>>>>
>>>>>  Best regards
>>>>>  Erlend Oftedal
>>>>> OWASP Norway Chapter lead
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
>
>  *Michael Hidalgo.
> OWASP Chapter Leader & Researcher*
>
> *Blog: http://michaelhidalgocr.blogspot.com*
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130617/396e1d09/attachment.html>


More information about the OWASP-Leaders mailing list