3

When installing a Node.js package via npm or when running npm-audit I get information about known vulnerabilities of packages in the project. From my understanding this means that there must be some database somewhere that contains this vulnderability information.

Is there some possibility to use this database to get a "vulnerabilities history" of a package? I want to query this DB for npm package "xyz" and get all versions and the known vulnerabilities associated with this version.

Anders
  • 64,406
  • 24
  • 178
  • 215
pinas
  • 161
  • 8
  • Maybe you can create a mock projekt, add a dependency to XYZ of the exact version you are interested in, and run npm-audit on your project? – Anders Jun 25 '19 at 10:39
  • 1
    @Anders yes this would be possible but I am more interested in the history of Vulnerabilities for the whole project not for a specific version. – pinas Jun 25 '19 at 10:42

2 Answers2

1

If you are searching for vulnerabilites in packages and software I would suggest to look in databases like https://cve.mitre.org/. There are all common vulnerabilities and exposures listed you are talking about. Just type your software into the search field and hit submit (like wordpress):

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress

BUT: Take care. These listed vulnerabilities are just the known ones. If you look a version up and cannot find anything it doesn't mean that there are no problems with it.

Cyberduck
  • 628
  • 4
  • 17
  • 1
    Hi thank you - is the mitre database the source used directly by npm-audit or is there some intermediate database? – pinas Jun 25 '19 at 10:37
  • 1
    I would say it's an intermediate one. Npm is using this database if i had to guess: http://ossindex.sonatype.org But if you want to look your vulnerabilites up it would be easier for you using another site – Cyberduck Jun 25 '19 at 10:51
1

You might want to take a look at https://snyk.io. It has a public Vulnerability DB including many npm packages. There you can search for your desired packages to get all known vulnerabilities.

For example Angular JS: https://snyk.io/vuln/search?q=angular&type=npm

To get an overview for a package you can use https://snyk.io/vuln/npm:<package>:

https://snyk.io/vuln/npm:angular

You also can test certain versions using https://snyk.io/test/npm/<package>/<version>:

https://snyk.io/test/npm/angular/1.1.5

snyk.io also offers an API, but it is not free and a CLI similar to npm audit.

Samuel Philipp
  • 640
  • 6
  • 18
  • 1
    Hi - thank you for this hint. I know Snyk and their product is really nice but I did not know that this information is available free of charge (which is important for this project since I'm doing it in my spare time). Thank you :) – pinas Jun 25 '19 at 19:09