Rating of Libraries Requiring Special Security Checks

Foundation formed by the Linux Foundation Core Infrastructure Initiative, in which leading corporations have joined forces in the direction of providing support for open projects involved in key areas of the computer industry, spent second study under the program Census, aimed at identifying open projects that need a priority security audit.

The second study focuses on the analysis of shared open source code implicitly used in various enterprise projects in the form of dependencies downloaded from external repositories. Vulnerabilities and compromise of developers of third-party components involved in the operation of applications (supply chain) can nullify all efforts to improve the protection of the main product. As a result of the study, it was determined The 10 most used JavaScript and Java packages that require special attention to security and maintenance.

JavaScript libraries from the npm repository:

• async (196 thousand lines of code, 11 authors, 7 committers, 11 open issues);
• inherits (3.8 thousand lines of code, 3 authors, 1 committer, 3 open issues);
• isarray (317 lines of code, 3 authors, 3 committers, 4 open issues);
• kind-of (2 thousand lines of code, 11 authors, 11 committers, 3 open issues);
• lodash (42 thousand lines of code, 28 authors, 2 committers, 30 open issues);
• minimist (1.2 thousand lines of code, 14 authors, 6 committers, 38 open issues);
• virgin (3 thousand lines of code, 2 authors, 1 committer, no open issues);
• qs (5.4 thousand lines of code, 5 authors, 2 committers, 41 open issues);
• readable stream (28 thousand lines of code, 10 authors, 3 committers, 21 open issues);
• string_decoder (4.2 thousand lines of code, 4 authors, 3 committers, 2 open issues).

Java Libraries from Maven repositories:

• jackson-core (74 thousand lines of code, 7 authors, 6 committers, 40 open issues);
• jackson-databind (74 thousand lines of code, 23 authors, 2 committers, 363 open issues);
• guava.git, Google Libraries for Java (1 million lines of code, 83 authors, 3 committers, 620 open issues);
• commons-codec (51 thousand lines of code, 3 authors, 3 committers, 29 open issues);
• commons-io (73 thousand lines of code, 10 authors, 6 committers, 148 open issues);
• httpcomponents-client (121 thousand lines of code, 16 authors, 8 committers, 47 open issues);
• httpcomponents-core (131 thousand lines of code, 15 authors, 4 committers, 7 open issues);
• logback (154 thousand lines of code, 1 author, 2 committers, 799 open issues);
• commons-lang (168 thousand lines of code, 28 authors, 17 committers, 163 open issues);
• slf4j (38 thousand lines of code, 4 authors, 4 committers, 189 open issues);

The report also looks at standardizing the naming scheme for external components, securing developer accounts, and maintaining legacy versions after major new releases. Additionally, the Linux Foundation published document with practical recommendations for organizing a secure process for developing open source projects.

The document covers the distribution of roles in the project, creating teams responsible for security, defining security policies, monitoring the permissions that project participants have, correctly using Git when fixing vulnerabilities to avoid leaks before publishing a fix, determining processes for responding to reports of problems with security, the implementation of security testing systems, the application of code review procedures, the consideration of security-related criteria in the formation of releases.

Source: opennet.ru