paazmaya.fi

The Website of Juga Paazmaya | Stories about web development, hardware prototyping, and education

Scanning Vulnerabilities and Licenses

There are several services that do this kind of scanning. Some are free if the project in question is open sourced, but might only provide some parts of their full service

Finding out which licenses a given project employs might become necessary during its lifecycle, for example, when launching a public website that incorporates third-party dependencies under licenses like AGPL-3.0-only. Such licenses mandate that you disclose your source code upon distributing, publishing, or serving (via a web portal) modified or derivative software.

Moreover, it’s equally important to identify if any known security vulnerabilities exist within these third-party dependencies or theirs. Various services offer this scanning functionality; some are free for open-source projects but may only provide partial services.

While license scanning in npm projects is relatively straightforward—checking the license property in package.json, and if absent, searching for a LICENSE file—the main challenge lies in selecting the vulnerability database used to detect known security issues. If all services contributed to one central database, it would benefit everyone; however, given that this is business, they don’t.

Several services provide free open-source usage:

These three services integrate well with GitHub, and WhiteSource is utilized by GitHub itself for repository security assessments (GitHub Blog).

In addition to the services, there are other options, such as installing a few tools locally. Most notably the AboutCode project, which includes scancode-toolkit, that can be installed:

pip install scancode-toolkit

In case there are issues when installing on macOS, the environment variables shown here might help, for example:

export ICU_VERSION=64
export PYICU_INCLUDES=/usr/local/Cellar/icu4c/64.2/include
export PYICU_LFLAGS=-L/usr/local/Cellar/icu4c/64.2/lib
export PYICU_CFLAGS=-std=c++11

Once installed, run in the project directory which should be scanned:

scancode --package --license --copyright --url --info --email --license-diag \
 --max-in-memory 1000 --processes 0 . --json results.json

The AboutCode project contains another tool called scancode-workbench which is an Electron-based frontend for viewing the results from the scancode-toolkit. This tool should be downloaded, extracted, and then executed to see the user interface where the results.json file can be imported and the results can be inspected. This will create a SQLite database which can be used later on if needed.

Further reading could be about The OpenChain Project.