randysecrist
Checking hex dependencies over time for security vulnerabilities
Quick question …
I’m working to bring elixir into a enterprise level environment and one of the requirements is to check hex dependencies over time for security vulnerabilities etc. What (if any) tools are people in the elixir community using to cover this space?
Thanks!
– Randy
Most Liked
voltone
I run a Dependency Track server, and every build automatically uploads a bill-of-materials of all Hex and NPM packages to the server. I also track OS packages for the deployment VMs in the same server. New vulnerabilities (from NVD, NPM, OSS Index) across all projects and ecosystems trigger Slack notifications. The dashboard lets me track the overall status of projects over time, audit vulnerabilities, check license usage, etc.
I wrote a blog post about it here.
voltone
The hex.audit task is useful, but not enough: it requires that the package maintainer acknowledges and fixes the reported vulnerability, and retires the affected package versions. If this doesn’t happen, the only alternative may be to switch to another package or accept the risk.
Right now my DependencyTrack server tells me that I’m affected by CVE-2019-15160, which has been an open issue in SweetXml for almost a year. Since no package has been retired, hex.audit would not make me aware of the issue, and I wouldn’t know to audit it.
cpgo
I think you are looking for GitHub - nccgroup/sobelow: Security-focused static analysis for the Phoenix Framework · GitHub








