Check npm/Yarn lockfiles for potentially malicious (transitive) dependencies as part of AST - Dependency Scanning
Problem to solve
Malicious dependencies can be added to a project hidden in a lockfile. For more details, see https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
Intended users
Developers in charge of accepting Merge Requests, Security Analysts.
Further details
This would provide more security assurances to users of GitLab.
Proposal
Integrate lockfile-lint in the AST scanning for Javascript (npm/Yarn) projects. This would automatically warn people who are using AST of potential malicious dependencies.
Permissions and Security
No new permissions needed.
Documentation
I guess just listing that the tool is used in the docs?
Testing
?
What does success look like, and how can we measure that?
Fewer malicious dependencies in GitLab projects?
What is the type of buyer?
?
Links / references
- https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/
- https://github.com/lirantal/lockfile-lint
*AST currently likely a best fit for Composition Analysis but elements could be in any of our AST solutions
Edited by Nicole Schwartz