Security Alerts for NodeJS

Since a couple weeks VersionEye shows security issues for PHP projects. Now this feature works the same way for NodeJS / NPM packages. If VersionEye is monitoring a package.json for you, then you will see the “Security” tab in the project view. Just like here in this example.

VersionEye-NodeJS-Security-View

In the “Security” tab all known security vulnerabilities are listed for your 3rd party dependencies. By clicking on the package name the package detail page comes up with a more detailed description of the security vulnerability.

VersionEye-NodeJS-Security

In most of the cases it is recommended to fix the issue by updating to the current version of the software package.

This feature is pretty new, but already good tested through the PHP community. Your feedback is anyway welcome either here in the comments or on Twitter.

Improved Security Feature

Since a couple days VersionEye is showing security vulnerabilities for PHP.  If VersionEye is monitoring a composer.json/composer.lock file for you you will see a security tab in your project detail view, there all the known security vulnerabilities are displayed. The problem with that is that you still have to go into the project and into the security tab to see that. If you have many projects, that can be time consuming. It would be great to see directly in the project overview which of your projects are affected. And now it works like that. Now the vulnerable projects are marked completely red in the project overview.

Screen Shot 2015-06-12 at 12.02.14

That way you can see immediately which of your projects are affected and how many known security vulnerabilities are assigned to your project dependencies.

PHP Security Vulnerabilities

Now VersionEye has notifications for security vulnerabilities! This new feature currently only works for PHP. Right now we have 118 security vulnerabilities in our database which affects some of the most used PHP frameworks and libraries. The security vulnerabilities are fetched from the SensioLabs security database. VersionEye is displaying the security vulnerabilities directly on the VersionEye detail pages. Here is an example.

Screen Shot 2015-05-07 at 14.08.05

VersionEye is displaying at least 1 link to an article where the security vulnerability is documented in great detail. Beside that the affected versions are displayed as well.

But that’s not all. If VersionEye is monitoring your PHP project directly on GitHub/Bitbucket or Stash, you will see a “Security” tab in your project view. Here is an example.

Screen Shot 2015-05-13 at 15.28.22

In the “Security” tab we display known vulnerabilities for your project. If there are any security vulnerabilities for your project the dependency badge turns red to “update!”.

This feature is strongly based on locked versions. If VersionEye has access to your composer.lock file it knows exactly which version you are using in production and it can assign security vulnerabilities 100% accurate. If VersionEye has only access to your composer.json file, but not to your composer.lock file it doesn’t know which versions exactly you are using in production. In that case VersionEye assumes that all version expressions are resolved to the newest version. But because we don’t know it for sure, it doesn’t affect the dependency badge. For composer.json files we display that hint in the security tab.

Screen Shot 2015-05-13 at 15.35.58

If you want to take full advantage of this feature you should commit your composer.lock file to your git repository and give VersionEye access to it. That is anyway best practice.

This feature is very new and we heavily rely on your feedback. Please try it out and let us know if you find anything odd.

The Heartbleed Bug

If you don’t live behind the moon you probably heard already about the Heartbleed bug in openssl. This bug is so critical for the security of the internet that it even gets his own domain, logo and marketing campaign.

heartbleed

Here you can test if your server is affected: http://filippo.io/Heartbleed/

Unfortunately VersionEye was affected as well. We don’t have any reason to believe that we have been compromised! But we exchanged anyway all secrets and revoked all tokens from GitHub and Bitbucket.

What does that mean for you? If you signed up at VersionEye with your GitHub or Bitbucket account you have to grand VersionEye access again to your GitHub/Bitbucket account. Just use one of the social media login buttons on this page:

https://www.versioneye.com/signin

If you are currently signed in at VersionEye you can re-connect your GitHub/Bitbucket account here:

https://www.versioneye.com/settings/connect

If you signed up with your email address please use the “password reset” function, because we reset all passwords in our database to some random values.

https://www.versioneye.com/iforgotmypassword

I’m really sorry for this inconvenience. But safe is safe!

You can believe me that my heart was bleeding than I was clicking the “Revoke all user tokens” button at GitHub :-/