Analyzing security vulnerabilities
npm is well known for having a low barrier to entry, making it a prime choice for a Node.js package manager today. Likewise, it is easy to implement and publish npm modules, making it a perfect target for malicious modules to find their way into production code of non-suspecting developers.
Moreover, open source developers, like most people, are subject to making mistakes, whether it be mislabeling releases or pushing non-functional code to master. With nodome.io, we're looking to assist fellow Node.js developers by creating a platform on which they are able to verify the integrity of any npm package before integrating it into their application.
What it does
nodome.io is both a data-driven and social platform which provides developers with detailed realtime information concerning security issues and vulnerabilities of a specific version of an npm package. Moreover, the application informs developers on both the latest available release (latest package version available on npm) and the latest stable release (a release which passes our numerous heuristic evaluations and/or is endorsed by an active open source developer). Numerous automated processes are employed to flag risks and evaluate potential impact on a package, while users are allowed to vote and comment to influence the social aspect of the integrity evaluation.
How we built it
To start, plenty of research on heuristic criteria was collected for accurately evaluating security threats to npm modules. To assist with these metrics, we used Snyk API, an open source security API. We used Firebase for caching of our API data, significantly improving the performance of repeated queries on a single npm package. For the frontend, we used React.
Challenges we ran into
Computing heuristics for each package, especially given that we clone each npm package and Github repo that we analyze on the server, turned out to be computationally expensive. On top of that, given the recursive nature of verifying package dependencies, the computation time to run a heuristic analysis on a package, its dependencies, those packages' dependencies (etc.).
Otherwise, sleep deprivation and snacks being inversely correlated (and not in the good way).
Accomplishments that we're proud of
The idea itself and our attempt to tackle the issue of npm module security is one that as developers we were very passionate about. We believe that this is a very prominent issue in the Node.js development community, especially given how many times security vulnerabilities related to npm have caused commotions. Also, we're very proud of our frontend interface and the user experience we provide for querying packages and viewing vulnerabilities.
What we learned
Creating an efficient system was WAY harder than we thought. Our project would benefit significantly from running isolated tasks on separate EC2 instances and using a message broker.
What's next for Nodome.io
Next steps for Nodome.io include improving the social heuristic aspect, since we mostly focused on developing the data driven heuristics, as social heuristics require a community to be relevant. Additionally, we planned on creating a graph visualization of dependencies and their relationships to a particular package. As we didn't have time to implement this, we're planning to do so shortly afterwards.