Can we find a vulnerability scanner that works with pnpm?

[joecowton1]

Currently across the Guardian we use Snyk to check for dependency vulnerabilities, and Dependabot to check for dependency updates.

Neither of these works with pnpm, which we use here in csnx.

We currently use Renovate to update dependencies, we're awaiting full approval from the tech council for wider use, but as a test it seems to be working well.

We'd like to find a vulnerability scanner to suggest for approval by Infosec. There was talk at the recent Dev X / Infosec catchup that it would be good to think holistically about a department wide solution to dependency vulnerability, perhaps we can use csnx as a testbed for this.

Suggestions so far have been:

• Google osv scanner
• Mend Bolt

Please add any thoughts below.

[joecowton1]

This is linked to from the Google security blog as an example of osv scanner thats ready to use in GitHub: https://securityscorecards.dev/

[joecowton1]

Tested Mend Bolt on a personal repo which showed the following:

• its very easy to setup, and results in any vulnerabilities being highlighted as issues in the repo
• the free version gives 5 scans per repo per day, these are trigger when a change to a package.json is pushed, so if a PR contains a change to a dependency its easy to use those scans up pretty fast
• it only scans the package.lock, not the pnpm-lock so i assume that means it wouldn't check for transitive deps, which is a bit of an issue

[joecowton1]

From a discusion with @kenoir

Robert Kenny:
So there is such a thing as an Software Bill of Materials (SBOM), which I think is intended as a consumer agnostic way of conveying the dependencies of your application (Snyk released some tools around this late last year: https://snyk.io/blog/snyklaunch-recap/ - also https://snyk.io/code-checker/sbom-security/).

There seem to be a couple of formats for SBOMs, but if you can generate one for your pnpm project (https://www.npmjs.com/package/pnpm-cdx) and then upload that to the Snyk API, you might be able to get Snyk to understand the projects vulnerabilities.

This is entirely based on googling about a bit, and I have not tested this idea at all.

Joe Cowton:

Quick brain dump:

• this seems the most promising when it comes to generating sbom files from pnpm-lock: https://github.com/CycloneDX/cdxgen
• this page on the Snyk site has an sbom tester: https://snyk.io/code-checker/sbom-security/ it also literally says "Automate and integrate your entire SBOM management process into developer workflows with Snyk." so it must be possible

I was starting to look at creating a GH action in csnx then realised the vast majority of snyk logic is here in the sbt-node-snyk action (https://github.com/guardian/.github/blob/main/.github/workflows/sbt-node-snyk.yml) - long term would it make sense to add an option here for pnpm that generates the sbom and passes that to snyk? Obvs need to work out how to do that first.

Robert Kenny:

"Automate and integrate your entire SBOM management process into developer workflows with Snyk." so it must be possible.

I wouldn't take it as a done deal that their API actually supports this, especially that it's assignable to a Snyk project (aka repo). I think they are making noise about it because it lets them sell things to the US Government, but everything i've come across is about creating SBOMs from your projects to export.

add an option here for pnpm that generates the sbom and passes that to snyk?

If you can find where in the Snyk API to do that, then yes. If not the workflow could also pass the SBOM to another service to generate a list of vulnerabilities (you may even be able to use the Snyk API for that) which ends up being reported somewhere else.

There are some interesting examples here: https://github.com/garethr/snyk-sbom-examples

This one in particular takes a CycloneDX format SBOM and uses the Snyk API to generate a list of vulnerabilities: https://github.com/garethr/snyk-sbom-examples/blob/main/purl-cyclonedx/cyclone-to-vuln.py

But note it's not pushing the whole document at the API, which is what i'd expect.