



Google has built an online tool that maps all the dependencies of millions of open source software libraries and flags unpatched vulnerabilities.

This helps you find out exactly what’s inside the library used in your programming project, and importantly, to see if it contains hidden security bugs that haven’t been fixed. I can. Therefore, you can choose a different set of packages or patch them to prevent your application from being exploited.

Nowadays, when you pull a library into a project, you usually pull dozens of dependencies and sub-dependencies for that library. Also, any of these components could contain security holes, which in fact could make the parent program vulnerable to attack.

These dependencies can also break or disappear, preventing your code from building, deploying, or building as expected. The program cannot import old libraries and keep them up to date. That means you miss bug fixes, security patches, and new features.

It’s safe to say that developers have little understanding of what they’re working on or what’s under the surface when adding a library to their project. This vulnerable state of software engineering affects commercial applications as well as free software, and is an increasingly vocal issue for Google employees.

the goal

This leads to an dependency research tool for web giants called Open Source Insights. This tool was announced today and is available at deps.dev. When you search for a package and reference its contents as a table or graph, the known security holes that depend on them are flagged.

Today, the service is said to index, scan, and monitor npm’s 1.63 million JavaScript libraries, 624,000 Go modules, 404,000 Java code Maven artifacts, and 62,000 Rust Cargo crates. PyPi and NuGet packages will be added next. This is also available free of charge.

“Open Source Insights continuously scans millions of projects in the open source software ecosystem and contains packages containing licenses, ownership, security issues, downloads, popularity signals, and other metadata such as OpenSSF scorecards. We will collect information about the project, “said Andrew Gellan of the project. , Michael Goddard, Rob Pike, and Nicky Ringland.

“Next, build a complete dependency graph that transitively tracks dependencies, dependency dependencies, etc., incorporate and publish metadata so you can see how everything affects your software. Also, the information provided will be continuously updated. “

How does it work?

Your humble vulture decides to try out the service with the library. I picked up a handy Rust crate called tui on the top of his head.

With this software, you can create a nice-looking text-based user interface in your device. It has been starred more than 5,100 times on GitHub, has many contributors, and is used to build a variety of apps, including device-based Spotify clients.

Type tui in the deps.dev search bar and select Cargo crate to display the library dashboard. Click the Dependencies tab to see a table of searchable components, and click the Graph button on the right to open the tui library visualization.

Broken spider web of tui dependencies generated by deps.dev … Click to enlarge

You can move points by scrolling in and out of the graph view and clicking and dragging the points. Each crate starting with tui has a line with an arrow pointing to the dependency. For example, you can see the chain of dependencies on the crate that handles Windows API calls on that operating system, and all the paths leading to libc.

More importantly, unexpectedly for the Rust project, Google’s services show that there are some security holes in the latest version 0.15.0 of tui.

Um … a security issue flagged by Google’s services

However, it is clear that these are tui dependencies, and programmers who use interface libraries in their applications may not be aware of the buried bug.

One of these vulnerabilities is tui’s pancurses dependency RUSTSEC-2019-0005. This library is one of tui’s available backends that sends the required character sequence to a terminal (either Linux or Windows) to display a text-based user interface.

This bug can be exploited in an “uncontrolled format string attack that allows you to easily write arbitrary data to stack memory”. It is included in pancurses version 0.16.1. This is the latest version and is what tui uses in the latest release.

This suggests that pancurses may be able to hijack applications that use tui by passing a set of data such as specially crafted filenames, file contents, and information from the network. .. ..

Another vulnerability is RUSTSEC-2019-0006, which is contained in the ncurses crate, a thin wrapper around the ncurses C library. This bug exists in the latest version of the wrapper crate, 5.101.0, and in the version used by pancurses, version 5.91.0. It can be exploited through buffer overflows and format string attacks, and like the flaws above, it can be used to hijack applications using maliciously crafted input data. There is.

The two bugs are documented here in detail (if you’re interested) along with a proof-of-concept crash exploit. It serves as an example of how you can use Google’s Open Source Insights to discover potential security flaws in your project’s dependency graph, even if they can’t really be exploited in real-world applications.

There are other dependency vulnerability scanners that GitHub came up with. There is one in OWASP. Snique too. Feel free to share your recommendations in the comments.

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos