29

For a project with many open-source libraries as a part of it, I began to search for information source concerning all upgrades and security issues. The kind of sources I gathered are either announcement list or issue/bug tracker in the form of RSS feeds or Mailing List, as either could be retrieved and parsed in a way or another, and then gathered in one place.

The problem is, for a third of those libraries, none of this is available. So I was wondering, aside from RSS/Atom feeds or Mailing List is there any other parsable sources I should be tracking?

EDIT:

We've recently started to make an audit manually, trying to list the known vulnerabilities of the open source libraries we use. For that it was decided to use security advisory sites such as Secunia, Vupen, and NVD, as the information is generally formatted in a relevant way. However we want to automate the process in the future.

Would parsing such sites be easier and/or bring more relevant information when compared to other sources? I know for a fact that Secunia doesn't take so kindly that a script sniff on their sites, and wondered if it would be the case for other security advisories, or if such hurdle could be encountered with other kind of sources.

Community
  • 1
Eldros
  • 391
  • 2
  • 6
  • As the responses already reflect, it can depend a lot on what libraries you're talking about, on what platform. The development ecosystem and update strategies are significantly different for Java, Python, Ubuntu, Windows, etc. What operating system? What packaging system or source control do you use to keep up to date with the packages? What programming language? – nealmcb Nov 28 '10 at 23:58
  • @all, thanks for your answers, I'll be going through each of them as soon as I have some time. In any case, I appreciate it, as it opened new leads to explore. – Eldros Nov 29 '10 at 10:20
  • @nealmcb, the project is developed in java with eclipse as IDE and I think most of the developers are using Windows to work, although the target are both Windows and Linux Operating systems. CVS is used as version control. I don't know if I am at liberty to discuss more about it, as I don't want to divulge sensitive information. And even if I knew, I don't know if my information would be 100% accurate, as I am not part of the developer team. As such I'm trying to stay general, but at the same time giving as much detail as possible. – Eldros Nov 29 '10 at 10:25

7 Answers7

7

The Open Source Vulnerability Database (http://osvdb.org/) is useful. See also the answers to this question

If the libraries are among the tens of thousands of Ubuntu packages, the Ubuntu CVE tracker provides good information:

http://people.canonical.com/~ubuntu-security/cve/

The code to parse the Mitre CVE database and the NVD (National Vulnerability Database) for new vulnerabilities and track security issues is at https://launchpad.net/ubuntu-cve-tracker

You can see the README and browse the code and parsed CVEs at

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/files

and you can easily follow it with the open-source "bzr" distributed source control system.

Security and packaging problems are unusually complicated for Java as discussed at http://fnords.wordpress.com/2010/09/24/the-real-problem-with-java-in-linux-distros/

Community
  • 1
nealmcb
  • 20,544
  • 6
  • 69
  • 116
3

For some subset of the missing third, you can subscribe to the project on Freecode (formerly known as "Freshmeat").

You may also find the Security page and Vulnerability database at Linux Weekly News useful. (And if you do, I highly recommend subscribing to LWN, which is a very valuable information source for Linux and open source in general, and not backed by any large, wealthy company.)

mattdm
  • 2,731
  • 1
  • 15
  • 17
2

One other way to deal with this is to checkout libraries directly from their official source code repository and do updates once in while. Easier than always downloading and easy to revert.

Olivier Lalonde
  • 5,039
  • 8
  • 31
  • 35
1

Your assessment may be expressable in an OVAL tool.

  • After browsing the site a bit, I fail to see the relevance of it in my problematic. Might due to me miscommunicating my issues, or simply insufficent english skills. As you are more familiar with it, could you care to elaborate on how and why an OVAL tool can be used in my case? – Eldros Nov 26 '10 at 12:07
  • OVAL is a standard way to evaluate the security of a system by asking well-formatted queries of a service that will reply in a standard way. I thought that there would be a repository that speaks OVAL and gives you an extra option beyond RSS feeds for evaluating the security of your dependency libraries. –  Nov 29 '10 at 14:45
  • 1
    Well I'm more asking about knowing when the maintainer of open-source libraries are doing upgrades, or when they found critical security issues (something in the line of security advisories), so the proper action could be taken on our side (namely upgrade the libraries, or try to mitigate the issue on our side). – Eldros Nov 30 '10 at 12:40
1

If you're a developer NuGet (formerly NuPack) is software on codeplex that automates the managment of 3rd party libraries in your application.

http://nuget.codeplex.com/

All the packages are maintained here:

http://nupackpackages.codeplex.com/

If you know of any software projects (or write one yourself) that can be incorporated into a "Windows Update" of sorts that allows for IT to monitor and manage the patch list for FOSS software, please update this question with what you find!

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1

OWASP Dependency Check checks your libs and compares to a list of known vulnerabilities. It "has a command line interface, a Maven plugin, an Ant task, and a Jenkins plugin." Or as they describe it:

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, and Python dependencies are supported.

David Balažic
  • 179
  • 1
  • 10
0

If your project is set up using Maven you can add code repositories and mirrors you want to index.

Have come this far you can then, for example, specify in your pom.xml that you want to use the latest release of a given library. Once there is a new release of that library your project wont build until you have downloaded the library into your own local repository.

For example you could use Sonatype Nexus Maven Repository to manage all your repositories. Then you could easily parse Nexus's repository viewer to find out if there have been any updates. I am unsure if Nexus has built-in RSS.

Gene Gotimer
  • 1,445
  • 11
  • 11
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • Also for Maven, you could consider using the OWASP Dependency Check plugin: https://www.owasp.org/index.php/OWASP_Dependency_Check and http://jeremylong.github.io/DependencyCheck/index.html – Gene Gotimer Nov 15 '13 at 14:29