It finally happened to you. A developer used ‘import A’. A pulled in B, B pulled in C, D. D pulled in E… and somewhere along that chain evil lurked. Now all your bits are belong to l33t hackerz.
So like all things in life its time to over-react after the fact (something about a barn door and a horse).
And like all good things in life research ~= google. So you do. And you find… shocking… a set of tools. Sadly language specific, but lets not be greedy.
- Use Scala? How about dependency.flow.io.
- Use Python? How about https://pyup.io/.
- Use … well, check out https://requires.io/.
What these tools do is glom onto your git repo and snoop around. They find a ‘requirements.txt’ etc, parse it. Then they go find those packages, parse them, and so on. A tree is built. And then they watch the vulnerability stream of those upstreams for you. Some even conveniently issue a Pull-Request to your repo when they find an issue for you!
And cuz its (nearly 2019), they all have an API, a freemium business model, and some ‘open-ish’ source on Github.
But, tl;dr: if you are waiting for bad things to happen to good software in production as a means of knowing you have a security issue, maybe you should look at moving it upstream with some auto-security-dependency-tracking. You can maybe merge this with your SAST platform (like Clair).