How can the validity and safety of a software library be checked?

Question

So beyond looking at the source code for particular software library, is there a way to vet that it does not contain malicious code? As far as I know from my own research, services like pip, npm, and composer do not provide any assurances(Not that I would really expect them to).

The reason I am somewhat averse to reading through the source is that as the number of libraries I use increases, the amount of source code I now have to go through becomes a huge effort.

So given that I want to use some opensource library X, what steps can I take to verify that it is safe to use aside from reading through all the source?

Answer 1

You have basically two options (provided you can verify your download, e.g., using a PGP signature):

• Read the code yourself
• Find some way to trust the developer

Reading the code yourself will not only need a lot of time, but an evil developer has a lot of ways to hide a backdoor. So you will need to trust the library authors.

The most important thing there is: Use as little code from others as needed. For example you mentioned npm. A typical project using npm downloads hundreds of tiny modules just to display a hello world message. Each of them could be malicious or break your build, see e.g. the disaster with left-pad.

When you decide you need a library (everything that is too time consuming or too complicated to implement yourself and definitely everything security related like encryption), try to find out which library may be trustworthy and then choose one and try not to use another one in each other part of the code.

There is no straightforward answer on how to build trust. Everyone needs to decide himself. There are some red flags about what code you should probably avoid, but there is no clear indication if a library without red flags is still malicious or not.