Dependency scanning #4131

SaadBazaz · 2024-09-30T06:31:04Z

SaadBazaz
Sep 30, 2024

I think we should also have a basic dependency-scanning security rule.

e.g. called useSafeDependencies or something like that (I'm not even sure it would be in linting, probably in analyzer?)

How I imagine this to be built:

Work on only two files: package.json and *-lock.(yml|json)
Take packagejson object, take .dependencies and .devDependencies, for each field and corresponding string make an API call to a scanner like https://listen.dev, and display results in popup in real-time.
If there are high vulnerabilities, display them in a nice display

Of course this can't replace commit hooks or CI/CD scanning processes, but at least it's realtime. And can prevent potential problems from spreading immediately. Specially if it's easy to set up.

SaadBazaz · 2024-10-08T05:33:57Z

SaadBazaz
Oct 8, 2024
Author

@Conaclos @ematipico -

What say? Do you guys think it's worth pursuing?

If yes, I inspected the code a bit and it seems we've used network calls (with ureq) in only one place:

biome/xtask/codegen/src/unicode.rs

Line 91 in c97a4af

    
           let raw = ureq::get("http://www.unicode.org/Public/UNIDATA/DerivedCoreProperties.txt")

Are we comfortable with using it in a lint-rule?

1 reply

ematipico Oct 8, 2024
Maintainer

We don't use network calls in Biome. That code you found is for our internal tooling for auto-generated code.

ematipico · 2024-10-08T06:14:03Z

ematipico
Oct 8, 2024
Maintainer

A couple of questions:

Biome doesn't have plugins. Did you use the incorrect wording?
Can't users use those tools directly? What can Biome do that other tools can't?

1 reply

SaadBazaz Oct 8, 2024
Author

Ah sorry. Must have typed when half asleep. Corrected.
I suppose with Biome, they can just have one tool to install to manage almost everything from linting, formatting and up until basic security protection. Could protect more projects in the future, specially newbie ones. But yes, it steers Biome in a direction which may or may not be desirable in the future. Really depends on the project's direction and maintainer's vision.

Conaclos · 2024-10-08T08:56:46Z

Conaclos
Oct 8, 2024
Maintainer

There are already really good tools for scanning and reporting questionable dependencies. I think this is beyond the scope of Biome.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dependency scanning #4131

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 3 comments 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

Dependency scanning #4131

SaadBazaz Sep 30, 2024

Replies: 3 comments · 2 replies

SaadBazaz Oct 8, 2024 Author

ematipico Oct 8, 2024 Maintainer

ematipico Oct 8, 2024 Maintainer

SaadBazaz Oct 8, 2024 Author

Conaclos Oct 8, 2024 Maintainer

SaadBazaz
Sep 30, 2024

Replies: 3 comments 2 replies

SaadBazaz
Oct 8, 2024
Author

ematipico Oct 8, 2024
Maintainer

ematipico
Oct 8, 2024
Maintainer

SaadBazaz Oct 8, 2024
Author

Conaclos
Oct 8, 2024
Maintainer