Ask HN: Does anyone investigate open source packages before using in prod?

14 pointslyttlerock5y ago38 comments

I'm curious to hear if anyone else does any due diligence before using open source packages in production? Not anything major - just checking for recent commits / activity, issue logs, etc.

38 comments

alltakendamned5y ago

It's interesting to see so many people here checking the code of all their open source packages, so here's my take on it as a security consultant:

No, most people don't, they even have a hard time keeping library versions up to date.

jfoster5y ago

Do you have a pragmatic approach that you typically recommend, considering that (without version pinning thousands of packages) anything could change from one day to the next? (even if a package was "good" today, it could turn "bad" tomorrow)

The best I've been able to come up with is to pick things that have minimal dependencies of their own. It doesn't eliminate the threat, but it does at least reduce it.

alltakendamned5y ago

No it’s not easy to realize. From a security perspective the idea is to always run the latest. Breaking backwards compatibility becomes a more difficult proposition. In reality you need to have an engineer test or analyze the updates. Some mature libraries maintain backwards compatibility (eg openssl) but if using something like npm it becomes almost impossible.

cpach5y ago

IIRC there is some kind of SaaS solution for this but right now I can’t recall its name. Maybe someone else here knows?

Edited: I reached out to some security people and it seems like the following are popular tools for this use case: Snyk / Dependabot / Whitesource.

1 more reply

stevekemp5y ago

I used to audit opensource code for security issues, on a regular basis, and even now before I install a public-facing application I generally have a look at the code.

It's not often I spot anything major, but I figure if I have the time I should do it just in case.

I often look at the code for PHP-extensions, npm-libraries, and similar that colleagues introduce. Just to be sure there's not anything blatently horrid going on.

austincheney5y ago

Yes.

If you work in a secure environment or support critical infrastructure there are teams whose sole purpose is to approve/deny releasing software regardless of who wrote it. Such teams will typically require source code, written justification, senior management signed approval, and test validation. In the case where source code is not provided, such as closed source commercial software, the vendor will be required to accept liability for all losses due to their software as ratified by a signed contract.

WA9ACE5y ago

I normally read a good chunk, if not all of the code of a dependency before I add it to my projects except in the case of community standard things (in Ruby) such as ActiveSupport or Sequel. Going over a prospective dependency a few months ago bore fruit in proving why you should always do this. NewsAPI is a neat little API for fetching news whose docs just so happen to show a ruby gem. Being the lazy developer I am I’d like to use the gem than build another API client, but before I did that I read the source as one should. Low and behold what do I find but the evil eval in the code for a dirt simple API client. No thanks.

https://github.com/olegmikhnovich/News-API-ruby/blob/master/...

amoitnga5y ago

Is this malicious? I'm honestly curious, as I don't have much experience still in the field. my answer to OPs question is NO , but I'd like to grow.

jfoster5y ago

This article might be of interest:

https://medium.com/hackernoon/im-harvesting-credit-card-numb...

nikitaga5y ago

I am paranoid about security of all those packages, so yes, even before just downloading, I check the authors, activity and read the source code. Not always – e.g. I skip the source code if it's something big AND very reputable AND I decided that I need it such as scala/scala or facebook/react – but I do my best.

It's very annoying, it's not free, and it affects what kinds of libraries I use. My projects have fewer and smaller dependencies than typical because of these self imposed constraints.

On the upside, borrowing a pattern or a dozen lines of code instead of pulling a dependency that will remain 90% unused is really underrated. As is understanding how things work under the hood.

jfoster5y ago

React itself is big & reputable, but the dependency tree is massive and I doubt that it's getting fully vetted on an ongoing basis. Even if you vet it today, any given dependency can be updated to something else tomorrow.

There are definitely some things in React's dependency tree that are a bit questionable if you are sensitive enough to any given problem, beyond just security. For example, packages where the license being used is contradictory between the package.json vs the LICENSE file or the full license terms are not expressed within these but are clarified in the README.md.

overkalix5y ago

> My projects have fewer and smaller dependencies than typical

Taking a look at your at your github projects and build.sbt... this is quite an understatement.

nikitaga5y ago

Haha well tbh I just didn't feel the need for more deps in such libraries. It's a tougher choice in application code!

uvw5y ago

I would be surprised if anyone has enough resources or willingness to do that for every open source package they are using. For companies that go through auditing, they can CTA by relying on products like Nexus IQ.

carapace5y ago

Yes, in depth. Not just the packages but their dependencies as well.

gitgud5y ago

Really? What about all the dependencies from those dependencies?...

For example, our company is working on an app that has 82 npm dependencies and over 17,000 resolved npm packages...

It's absolutely ridiculous to investigate all of them... but it's also necessary if you want to be sure...

carapace5y ago

> Really? What about all the dependencies from those dependencies?...

Yep, all the way to the end.

I got the idea from a book called "Hollywood Secrets of Project Management Success" by James R. Persse. It's two books interleaved really, one is just a standard pitch for Agile methods (IMO), but the other is a presentation of the process that large film studios use to make movies. The movie industry is ~100 years old and mostly very good at bringing in projects on time and under budget.

Somewhere in there he talks about how they'll track their dependencies in a kind of "portfolio", I forget the details, but it translates in IT to a "dependency portfolio" and you would (if you're large enough) have an actual "Deps Dept." and a Deps Manager whose sole job is tracking dependencies and their updates and patches, etc.

> working on an app that has 82 npm dependencies

Ach! Well, see, there's your problem right there. :-)

Seriously though, one of the benefits of a dependency portfolio is to help you know when your system has gotten out of hand. The problems are still there even if you don't look at them, eh?

> It's absolutely ridiculous to investigate all of them... but it's also necessary if you want to be sure...

Ya feel. ;-)

1 more reply

seanwilson5y ago

How long does it take you to do this for e.g. all the dependencies for a bare bones Angular, Vue or React app?

carapace5y ago

I couldn't begin to estimate. (We don't use those.)

1 more reply

jfoster5y ago

On what cadence do you do this? Every release?

carapace5y ago

The "deps portfolio" gets updated whenever the deps change. In practice the flow goes like this:

0. A dev wants to use a new dependency, likely after experimenting with it a little bit.

1. Preliminary evaluation, which includes a transitive dependency scan. ("Too many dependencies" is a valid fail condition all on it's own.)

2. If everything looks good we bring it and it's deps into our internal repo. This includes the plumbing to add it to our dev|test|production envs. (Using Docker or whatever.)

3. Now the devs can use it in code destined for prod. There's a nice page in the company wiki that lists the exact version(s) with links to the docs, bug trackers, mailing lists, etc. and also the internal company lore for that package.

It's tight.

- - - -

This might seem like a lot of work up front, but think about all the work it saves down the line.

1 more reply

bjourne5y ago

Doesn't everyone? That's one of the annoying parts of using other people's code. You have no idea how good or bad it is until you have thoroughly vetted it.

bnchrch5y ago

These comments feel skewed. I look for activity and support. Reading the actual code is typically far from my mind.

The time-opportunity cost isnt worth it on average

amoitnga5y ago

In my case no. But I tend to use the big guns. I'm willing to learn though

bluGill5y ago

Yes, if there are no commits at all I know I'm stuck maintaining it.

sigjuice5y ago

Or it could be mature and stable software that doesn't need constant maintaining.

bluGill5y ago

Maybe, but then I'd expect a small number of bug fix commits. Most software never matures in that way.

wolco5y ago

Sort of. By the time you choose the package that info should be known.

j / k navigate · click thread line to collapse

38 comments

alltakendamned5y ago

It's interesting to see so many people here checking the code of all their open source packages, so here's my take on it as a security consultant:

No, most people don't, they even have a hard time keeping library versions up to date.

jfoster5y ago

The best I've been able to come up with is to pick things that have minimal dependencies of their own. It doesn't eliminate the threat, but it does at least reduce it.

alltakendamned5y ago

cpach5y ago

IIRC there is some kind of SaaS solution for this but right now I can’t recall its name. Maybe someone else here knows?

Edited: I reached out to some security people and it seems like the following are popular tools for this use case: Snyk / Dependabot / Whitesource.

1 more reply

stevekemp5y ago

I used to audit opensource code for security issues, on a regular basis, and even now before I install a public-facing application I generally have a look at the code.

It's not often I spot anything major, but I figure if I have the time I should do it just in case.

I often look at the code for PHP-extensions, npm-libraries, and similar that colleagues introduce. Just to be sure there's not anything blatently horrid going on.

austincheney5y ago

Yes.

WA9ACE5y ago

https://github.com/olegmikhnovich/News-API-ruby/blob/master/...

amoitnga5y ago

Is this malicious? I'm honestly curious, as I don't have much experience still in the field. my answer to OPs question is NO , but I'd like to grow.

jfoster5y ago

This article might be of interest:

https://medium.com/hackernoon/im-harvesting-credit-card-numb...

nikitaga5y ago

It's very annoying, it's not free, and it affects what kinds of libraries I use. My projects have fewer and smaller dependencies than typical because of these self imposed constraints.

On the upside, borrowing a pattern or a dozen lines of code instead of pulling a dependency that will remain 90% unused is really underrated. As is understanding how things work under the hood.

jfoster5y ago

overkalix5y ago

> My projects have fewer and smaller dependencies than typical

Taking a look at your at your github projects and build.sbt... this is quite an understatement.

nikitaga5y ago

Haha well tbh I just didn't feel the need for more deps in such libraries. It's a tougher choice in application code!

uvw5y ago

carapace5y ago

Yes, in depth. Not just the packages but their dependencies as well.

gitgud5y ago

Really? What about all the dependencies from those dependencies?...

For example, our company is working on an app that has 82 npm dependencies and over 17,000 resolved npm packages...

It's absolutely ridiculous to investigate all of them... but it's also necessary if you want to be sure...

carapace5y ago

> Really? What about all the dependencies from those dependencies?...

Yep, all the way to the end.

> working on an app that has 82 npm dependencies

Ach! Well, see, there's your problem right there. :-)

Seriously though, one of the benefits of a dependency portfolio is to help you know when your system has gotten out of hand. The problems are still there even if you don't look at them, eh?

> It's absolutely ridiculous to investigate all of them... but it's also necessary if you want to be sure...

Ya feel. ;-)

1 more reply

seanwilson5y ago

How long does it take you to do this for e.g. all the dependencies for a bare bones Angular, Vue or React app?

carapace5y ago

I couldn't begin to estimate. (We don't use those.)

1 more reply

jfoster5y ago

On what cadence do you do this? Every release?

carapace5y ago

The "deps portfolio" gets updated whenever the deps change. In practice the flow goes like this:

0. A dev wants to use a new dependency, likely after experimenting with it a little bit.

1. Preliminary evaluation, which includes a transitive dependency scan. ("Too many dependencies" is a valid fail condition all on it's own.)

2. If everything looks good we bring it and it's deps into our internal repo. This includes the plumbing to add it to our dev|test|production envs. (Using Docker or whatever.)

It's tight.

- - - -

This might seem like a lot of work up front, but think about all the work it saves down the line.

1 more reply

bjourne5y ago

Doesn't everyone? That's one of the annoying parts of using other people's code. You have no idea how good or bad it is until you have thoroughly vetted it.

bnchrch5y ago

These comments feel skewed. I look for activity and support. Reading the actual code is typically far from my mind.

The time-opportunity cost isnt worth it on average

amoitnga5y ago

In my case no. But I tend to use the big guns. I'm willing to learn though

bluGill5y ago

Yes, if there are no commits at all I know I'm stuck maintaining it.

sigjuice5y ago

Or it could be mature and stable software that doesn't need constant maintaining.

bluGill5y ago

Maybe, but then I'd expect a small number of bug fix commits. Most software never matures in that way.

wolco5y ago

Sort of. By the time you choose the package that info should be known.

j / k navigate · click thread line to collapse