
Ask HN: How do you check for malware in OSS packages? - riyakhanna1983
What tools would you suggest to scan for malicious packages or dependencies?
======
shoo
Maybe some ideas here:
httpss://www.owasp.org/index.php/Source_Code_Analysis_Tools

At work we use a commercial tool for static analysis. From what I have seen it
is rather stupid, it produces a lot of false positive security issues about
things like allocating memory (potential resource exhaustion vulnerability...)

You also probably want to pin versions of all dependencies, and store them in
a repository that you control access to (a good idea for reproducibility,
ignoring security).

~~~
relaunched
SAST tools take a lot of work to get up and running. If you're just running
them out of the box, you're probably doing it wrong.

------
relaunched
There are open source tools for CVE checking, which is a good start, there are
also commercial alternatives like Whitesource. CSP headers can help. So is
only using packages that are actively updated.

------
riyakhanna1983
What tools have you been using to scan NPM/Python/Ruby/Go packages for
malicious dependencies? How do I know if one of the dependencies in my package
is not going to steal my NPM credentials, for example?

------
avichalp
If you are looking for something that helps you keep your OSS packages secure,
then Snyk[0] is doing an excellent job at it.

[0] [https://snyk.io](https://snyk.io)

~~~
riyakhanna1983
Snyk only checks for known vulnerabilities, not if the package itself is
malicious.

