Integrate Malicious Package Analysis with vet

[abhisek]

Background

We have a basic client integration of safedep.io Malware Analysis service integrated with vet. This is documented in: https://docs.safedep.io/cloud/malware-analysis

However, given the nature of the service and the rate limits, we cannot scan every single package in a dependency graph every time like what vet does with OSS packages. We need the ability to only perform analysis on packages that are considered to be untrustworthy or risky by vet. The output of Malicious Package analysis service can be leveraged by vet to reduce or eliminate the need to manually analyse any potentially unpopular package. It will also allow users to use vet to establish a proactive guardrail against malicious OSS packages that perform active scanning and not just a database query.

[abhisek]

vet and vet-action integration with Malware Scanning will help protect against malicious OSS components introduced during PR. vet-action is already capable of identifying the PR diff of packages. We will add support in vet to enrich package metadata with malware scan results in addition to the existing Insights data. This will allow us to provide a decision as report regarding the safety of a given package.

Feedback

Markdown Summary Report

We will provide the following feedback to the user as part of vet-action markdown reporting. This will be available as part of vet-action scan result.

Package	Version	Status	Report
example-pkg-1	1.2.2	✅	🔗
example-pkg-2	1.2.2	🟠	🔗
example-pkg-3	1.2.2	❌	🔗

Note: vet-action has limitation of PR commenting in case of PRs from forks due to security reason

Summary Report

We will extend summary report to provide a status on number of packages with known & unknown malware scan results. The unknown may happen because we will set a time limit (configurable) for malware scans to finish beyond which we will not wait to avoid slowing down SDLC process. Subsequent scans will likely have the reports available and will improve coverage.

Implementation

We will improve our data enrichment system to enrich discovered packages with malware scan report. The enrichment layer is however not responsible for making a decision on fail or pass actions. We will have an analyser that will make the decision based on policy and malware scan data to determine a gating behaviour.

Limitations

Malicious Package scanning is a time intensive process. Not all packages can be scanned within reasonable time. Hence we will set a configurable default time limit to wait before wrapping up malicious package detection and provide reporting that highlights

• Packages with scan results available
• Packages with scan results unavailable
• Packages with possible malicious behaviour
• Packages with confirmed malicious behaviour

[abhisek]

Ref: #309

[abhisek]

vet Summary Report

This report is generated by vet

Policy Checks

• ✅ Vulnerability
• ✅ Malware
• ✅ License
• ✅ Popularity
• ✅ Maintenance
• ✅ Security Posture
• ❌ Threats

Threats

LockfilePoisoning

• ⚠️ Found in manifest test/scenarios/fixtures/lockfiles/nestjs-lfp-package-lock.json, Package express resolved to an URL https://registry.npmjs.org/@somerandomorg/express/-/express-4.18.2-p2.tgz that does not follow the package name path convention. Refer to this for more details

Malicious Package Analysis

Malicious package analysis is performed using SafeDep Cloud API.

Malicious Package Analysis Report

Ecosystem	Package	Version	Status	Report
ECOSYSTEM_NPM	yocto-queue	0.1.0	✅	🔗
ECOSYSTEM_NPM	expect	29.7.0	✅	🔗
ECOSYSTEM_NPM	express	4.18.2	✅	🔗

• ℹ️ 3 packages have been actively analyzed for malicious behaviour.
• ✅ No malicious packages found.

Changed Packages

Changed Packages

• ✅ [Npm] expect@29.7.0
• ✅ [Npm] express@4.18.2
• ✅ [Npm] yocto-queue@0.1.0