hack

DependaBob

Roberto Guido

2 min read
DependaBob
Photo by FlyD / Unsplash

I started to set up some tooling to verify security of applications I develop for my clients (you know: Cyber Resilience Act is coming...), and the first try has been to use the popular Dependabot to automatically and periodically check for known vulnerabilities in dependencies. But Dependabot is pretty specific for GitHub, operated internally to the platform, and most of the code I work on is hosted elsewhere (mostly: GitLab). It exists a Dependabot "porting" for GitLab but it is a pain in the ass to setup (and it would drain all my free minutes for CI/CD pipelines...); it exists a dependabot-cli to be executed indipendently, but it is an hell to configure properly to catch just security updates over a given repository.

So, I ended up with a very naive solution: as most of my projects are PHP and JS - and dependencies are installed with composer and npm - I will just use the existing composer audit and npm audit commands to check them.

<?php

require('vendor/autoload.php');

use Symfony\Component\Mime\Email;
use Symfony\Component\Mailer\Mailer;
use Symfony\Component\Mailer\Bridge\Scaleway\Transport\ScalewayTransportFactory;
use Symfony\Component\Mailer\Transport\Dsn;

$mail_from = 'info@madbob.org';
$mail_to = 'info@madbob.org';
$mail_username = 'foo';
$mail_password = 'bar';

$folders = [
    "/home/madbob/working/project1",
    "/home/madbob/working/project2",
    "/home/madbob/working/project3",
];

$reportable = [];

foreach($folders as $folder) {
    chdir($folder);
    exec('composer audit', $out, $composer);
    exec('npm audit', $out, $npm);

    if ($composer || $npm) {
        $reportable[] = $folder;
    }
}

if (count($reportable) == 0) {
    $subject = 'No problems';
    $text = 'No issue detected';
}
else {
    $subject = 'Problems!';
    $text = sprintf("Issues detected in the following folders:\n\n%s\n", join("\n", $reportable));
}

$transport = (new ScalewayTransportFactory())->create(new Dsn('scaleway+api', 'default', $mail_username, $mail_password));
$mailer = new Mailer($transport);
$email = (new Email())->from($mail_from)->to($mail_to)->subject($subject)->text($text);
$mailer->send($email);

This stupid PHP script just iterates all the local folders of my works, runs the proper tests, and sends an email with a very short summary (using the Scaleway Transactional Emails service, but using the Symfony Mailer abstraction can be easily adapted to any email provider).

I've put this in the crontab of my local PC, scheduled to be executed every monday morning. To happily start the week...