Checking hex dependencies over time for security vulnerabilities

Quick question …

I’m working to bring elixir into a enterprise level environment and one of the requirements is to check hex dependencies over time for security vulnerabilities etc. What (if any) tools are people in the elixir community using to cover this space?

Thanks!
– Randy

I think you are looking for https://github.com/nccgroup/sobelow

1 Like

Does mix hex.audit meet those needs?

1 Like

Thanks all; I didn’t know about either of those. Will take a look.

I run a Dependency Track server, and every build automatically uploads a bill-of-materials of all Hex and NPM packages to the server. I also track OS packages for the deployment VMs in the same server. New vulnerabilities (from NVD, NPM, OSS Index) across all projects and ecosystems trigger Slack notifications. The dashboard lets me track the overall status of projects over time, audit vulnerabilities, check license usage, etc.

I wrote a blog post about it here.

3 Likes

The hex.audit task is useful, but not enough: it requires that the package maintainer acknowledges and fixes the reported vulnerability, and retires the affected package versions. If this doesn’t happen, the only alternative may be to switch to another package or accept the risk.

Right now my DependencyTrack server tells me that I’m affected by CVE-2019-15160, which has been an open issue in SweetXml for almost a year. Since no package has been retired, hex.audit would not make me aware of the issue, and I wouldn’t know to audit it.

2 Likes

Check this DependaBot. It was acquired by GitHub. We use it and it works very well.

1 Like

There is now another (commercial, but free to start) option: Secure Elixir development with Snyk | Snyk

I’ve tried their beta, it had a few issues with more complex projects, but they’ve been quite responsive about addressing those early hiccups. You can run a scan locally and get the results displayed in the terminal, or you can submit your dependency list to their server so you’ll get notifications for new vulnerabilities. Nice thing is that it works regardless of where your code resides, which I imagine would be useful in enterprise environments…

1 Like