Elixir/Erlang Support for Dependency Scanning

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

While analysing the NVD feed, I realised that some vulnerability reports are referring to packages hosted on https://hex.pm which is a package registry for Erlang and for Elixir. For NVD2019, I have counted roughly a dozen of CVEs that could be directly linked to Erlang packages. I arrived at this number by doing a simple keyword search (with hex and erlang) so there could be actually more Elixir/Erlang-related CVEs.

Elixir is in the Top 10 of "Most Loved Programming Languages" based on the Stack Overflow Developer Survey. It is also in the Top 10 of languages that can be a ssociated with the highest salaries worldwide.

Intended users

• Sam (Security Analyst)

Proposal

• Add hex as package-type to gemnasium-db
• Create analyzers for Erlang and Elixir projects

What does success look like, and how can we measure that?

More interest from security personas. Dependency scanning for Erlang/Elixir projects.

What is the type of buyer?

Ultimate

Links / references

• https://insights.stackoverflow.com/survey/2019
• https://hex.pm

groupcomposition analysis feature

/cc @gonzoyumo @NicoleSchwartz @fcatteau