Easy-to-use tool to inform you about potential risks in your project dependencies list

Overview

sdc-check

Easy-to-use tool to inform you about potential risks in your project dependencies list

Usage

Add to your project

Add new npm command to script section in your package.json

"scripts": {
  "sdc-check": "sdc-check -d .",
}

Use in your CI pipeline

Add new step to your pipeline

# Github Actions example:
- name: Check dependencies with sdc-check
run: yarn sdc-check

Configure

Add new "sdc-check" section in your package.json to change defaults

  • options define metrics behaviour
  • errors define set of metrics when audit should fail if those metrics won't pass
"sdc-check": {
  "options": {
    "limitOfDecisionMakers": 7,
    "daysBeforeUpgradeToNewVersion": 7,
    "monthsOfInactivityAllowed": 9
  },
  "errors": ["package-is-too-new", "lockfile-is-not-safe", "has-os-scripts", "dangerous-shell-commands"]
}

Ignore errors (do it wisely)

Add .sdccheckignore to your project root directory

# Ignore errors caused by unmaintained-package metric for [email protected]
[email protected] | unmaintained-package

# Ignore all errors for [email protected]
[email protected]

# Ignore errors caused by unmaintained-package and
# released-after-long-period-of-inactivity metrics for sdc-check
sdc-check | unmaintained-package, released-after-long-period-of-inactivity

# Ignore all errors for sdc-check
sdc-check

Check npm package

Find out more about a package before adding it to your dependencies list

npx sdc-check -p ua-parser-js -v 1.0.2

Metrics

  • Lock file is not safe (lockfile-is-not-safe). During the development process a malicious actor could replace URLs in a lock file to package with malicious code

  • The newest package version is too new (package-is-too-new). A new version of a package could be vulnerable. It might be safer to wait X days before upgrading to the new version and let community test it

  • Installation Script (install-scripts). An attacker can use installation scripts to run commands that perform malicious acts through the package installation step

  • Obfuscated code (obfuscated-code). A package contains obfuscated code which may point to attempt of hiding potentially malicious code

  • A package has OS scripts (has-os-scripts). An attacker can use .bat/.sh scripts to execute malicious actions (downloading and launching mining apps, etc)

  • A package script has shell commands (dangerous-shell-commands). Package script has potentially dangerous commands (curl, wget, chmod, cacls, etc)

  • The newest package version is released after a long period of inactivity (released-after-long-period-of-inactivity). There is a possibility that an attacker could hijack an account and publish malicious code

  • Unmaintained Package (unmaintained-package). A package has no updates for one year

  • Too many decision makers (too-many-decision-makers). A package with too many maintainers/publishers will provide an attacker many targets to exploit account takeover and social engineering attacks

  • No source code repository (no-source-code). When a package has no source code repository/homepage the access to review source code is restricted, forcing users to trust a package blindly

Common threats in supply chain security

  1. Malicious package release: An attacker may publish malicious packages and hence trick other users into installing or depending on such packages.

  2. Social Engineering: An attacker may manipulate a maintainer to hand over sensitive information.

  3. Account Takeover: An attacker may compromise the credentials of a maintainer to inject malicious code under the maintainer’s name.

  4. Ownership transfer: An attacker can show enthusiasm to maintain popular abandoned packages and transfer the ownership of a package.

  5. Remote execution: An attacker may target a package by compromising the third-party services used by that package.

Roadmap

Status Name Description
In progress Initial release Will be soon
To do Expired Maintainer Domain An attacker can hijack a package if a maintainer’s domain is expired (info)

Install

npm i -D sdc-check

or

yarn add -D sdc-check

Acknowledgments

License

MIT

You might also like...

To Do list is a small but useful project to make list app , you can add tasks delete tasks and modify tasks, the project built using HTML, CSS, JavaScript

Project Name The To-Do-List app description this is a project in the second week of the second module in microverse. its a useful to do list that save

Jul 25, 2022

Microverse Module 02 Project: This is educational project is a tool that helps to organize your day. It simply lists the things that you need to do and allows you to mark them as complete. Built with HTML, Sass, JavaScript and Webpack.

Project Demo Live Demo Description To-do list is a tool that helps to organize your day. It simply lists the things that you need to do and allows you

Oct 21, 2022

A project that let's you see a list of scores using an API, you can add ypur own and it will be saved on the list forever

Leaderboard This is a project that let's you see a list of scores using an API, you can add ypur own and it will be saved on the list forever! Built W

Mar 4, 2022

Easy auditing & sandboxing for your JavaScript dependencies 🪱

Easy auditing & sandboxing for your JavaScript dependencies 🪱

Easy auditing & sandboxing for your JavaScript dependencies 🪱 TL;DR Sandworm intercepts all sensitive Node & browser APIs, like child_process.exec or

Dec 15, 2022

This project is about Leaderboard list app, that allows users to add score to the list and refresh the list.

This project is about Leaderboard list app, that allows users to add score to the list and refresh the list.

Leaderboard This project is about Leaderboard list app, that allows users to add score to the list and refresh the list. Built With JavaScript HTML CS

Dec 19, 2021

To-Do List project is the application for a to-do list, users can add and remove tasks from the to-do list. Mark tasks as completed.

To Do App To-Do List project is the application for a to-do list, users can add and remove tasks from the to-do list. Mark tasks as completed. Users c

Jul 21, 2022

In this project I have build a To Do List app that you can list, add, delete and manage your daily tasks better. Build with HTML, CSS, JS, ES6, JSON

ToDo List This project is build by javascript web packages which can add and remove daily tasks. Built With Html Css Javascript Sublime Text Author 👤

Oct 25, 2022

This "To-do-list" app is a simple web application that displays a list of task and allows you to add and remove task from that list. it is built with the latest technology namely; JavaScript with webpack Configuration.

This

To-do-list "To-do-list" is a simple web application that displays a list of task and allows you to add and remove task from that list. Built With HTML

Nov 21, 2022

This "To-do-list" app is a simple web application that displays a list of task and allows you to add and remove task from that list

This

This "To-do-list" app is a simple web application that displays a list of task and allows you to add and remove task from that list. it is built with the latest technology including but not limited to HTML, CSS, JavaScript and webpack to manipulate DOM.

Feb 19, 2022
Comments
  • root package confused with npm package

    root package confused with npm package

    I installed and ran the tool just like you suggested and it fails every time because it cannot find the version of my app which is the root project. I tried this on both the v1 and v2 versions of my package-lock.json. I think the problem is that myapp (i changed the name) is a private package that is not on NPM, but there is a package called myapp on NPM. sdc-check doesn't realize that the root package should not be looked up on NPM. This is true even if i add my app to the .sdccheckignore.

    npm run sdc-check 
    
    > [email protected] sdc-check
    > sdc-check -d .
    
    ⠸ Running sdc-checkERROR: Could not gather metrics
    myapp: No matching version found for [email protected].
        at module.exports (/tmp/myapp/node_modules/npm-pick-manifest/lib/index.js:209:23)
        at /tmp/myapp/node_modules/pacote/lib/registry.js:126:26
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at async getMetrics (file:///tmp/myapp/node_modules/sdc-check/src/metrics.js:28:37)
        at async check (file:///tmp/myapp/node_modules/sdc-check/index.js:41:17)
        at async file:///tmp/myapp/node_modules/sdc-check/src/cli.js:46:14 {
      code: 'ETARGET',
      type: 'version',
      wanted: '0.0.7',
      versions: [
        '1.1.6',  '1.1.7',  '1.1.8',  '1.1.9',  '1.1.10',
        '1.1.11', '1.1.12', '1.1.13', '1.1.14', '1.1.15',
        '1.3.4',  '1.3.5',  '1.3.7',  '1.3.8',  '1.3.9',
        '1.3.10'
      ],
      distTags: { latest: '1.3.10' },
      defaultTag: 'latest'
    }
    ERROR: Could not perform sdc-check audit
    Error: sdc-check internal error
        at file:///tmp/myapp/node_modules/sdc-check/src/cli.js:50:13
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
    
    🚫 sdc-check exited with error
    
    opened by mckaymatt 2
  • `file:` protocol in `package-lock.json` seems to not be supported

    `file:` protocol in `package-lock.json` seems to not be supported

    Hey! Cool project :) I tried it out and got some weird errors. Inside mdx-js/mdx:

    node -v # v17.4.0
    npm -v # 8.5.5
    npx sdc-check -d .
    

    Yields:

    Errors: 22
    [
      {
        "metric": "lockfile-is-not-safe",
        "message": "detected invalid host(s) for package: @mdx-js/esbuild@file:packages/esbuild-ebc0e1c9cb0044a8d3631c422ddb2f0182111f49\n    expected: registry.npmjs.org\n    actual: \n",
        "package": "@mdx-js/esbuild@file:packages/esbuild-ebc0e1c9cb0044a8d3631c422ddb2f0182111f49"
      },
      {
        "metric": "lockfile-is-not-safe",
        "message": "detected invalid host(s) for package: @mdx-js/loader@file:packages/loader-bd54eca448ffeb221a8b218aea8e32061618c046\n    expected: registry.npmjs.org\n    actual: \n",
        "package": "@mdx-js/loader@file:packages/loader-bd54eca448ffeb221a8b218aea8e32061618c046"
      },
      ...,
      {
        "metric": "package-is-too-new",
        "package": "@mdx-js/[email protected]",
        "message": "package release date is 2022-03-31"
      },
      {
        "metric": "package-is-too-new",
        "package": "@mdx-js/[email protected]",
        "message": "package release date is 2022-03-31"
      },
    

    So, it seems npm workspaces, or at least local references, don’t work well?

    opened by wooorm 2
  • Is this OK to use globally?

    Is this OK to use globally?

    From the README, CLI seems to be supported: sdc-check -d .. However, it is unclear whether it works when globally installed. Please, could you confirm.

    opened by goldingdamien 1
  • Support pnpm as package manager

    Support pnpm as package manager

    After checking the source code, I realized that only npm and yarn are supported.

    I have the feeling that this is a really valuable tool for people which want to be aware of potential security issues, so it would be amazing if there was official pnpm support too.

    P.S.: It would be great to have a small notice of which package managers are supported in the readme, since the error Running sdc-checkError: There are no metrics data to create report wasn't telling me clearly what the issue was.

    opened by mcmxcdev 2
Owner
Maksim Balabash
Maksim Balabash
Market Watcher - a blog where you can inform yourself about the latest economic-related news

Market Watcher - a blog where you can inform yourself about the latest economic-related news

Adrien 4 Aug 5, 2022
Web app to display potential profits of cryptocurrencies.

What_If With the recent stock market and cryptocurrency rally in the past two years I often found myself wondering how much would I have made if I bou

null 3 Feb 12, 2022
A website that acts as a guide about the universities to potential students whole throughout the globe.

A website that acts as a guide about the universities to potential students whole throughout the globe.

null 1 Apr 15, 2022
An open-source Typing-effect Library, That enables potential users to add a typing effect to mere DOM Elements.

Typing Effect Library An open-source Typing-effect Library I created. That enables potential users to add a typing effect to mere DOM Elements. Tool P

Okoye Charles 14 Oct 3, 2022
Cindy Dorantes 12 Oct 18, 2022
JOSE ZEPEDA 10 Nov 18, 2022
"To Do List" is a minimalist project that displays a list of task and allows you to add and remove task from that list. Built with JavaScript

To Do List Structure Solo programming project for module 2 week 2 of the Microverse Program. Live Demo Live Demo Link "To Do List" is a minimalist pro

Yersel Hurtado 7 Mar 5, 2022
How often do you get asked about the gadgets or software that you use? If the answer is quite often, you should be trying show off out. Curate the list of gadgets and software and share it with your fans and followers.

Show Off - Showcase your setup! How often do you get asked about the gadgets or software that you use? If the answer is quite often, you should be try

Adithya Sreyaj 15 Nov 24, 2022
"Awesome books" is a simple website that displays a list of books and allows you to add ang remove books from that list. Also you can store your data in your local storage. Build with JavaScript, HTML and CSS.

Awesome Books Creating an app that adds and delete books from a list. Built With HTML CSS JavaScript Application Page url https://TimmyChan99.github.i

Fatima Ezzahra elmenoun 5 Jan 28, 2022