NPM vulnerability study - Resource Download

Resources for Validation

DVGraph

Download the Snapshot of DVGraph

Snapshot of DVGraph

Tips:

PLease follow the instructions here to load the graph. https://github.com/lcwj3/neo4j_setup

This is the DVGraph we used to carry out the empirical study in our paper, it contains all NPM packages released before 2020, and we are considering having official periodic releases of DVGraph in the future to support community research.
To inspect the data, please unzip this file and load it as a graph database using neo4j.
Note the vulnerability with vulnerabilityId as "SEC-XXXX-XXXX" are not taken into consideration in our study, they are security bugs we have found for other purposes, please ignore them when validating the results from our paper.

Restful APIs for DTResolver and DTReme

(Service is down now, Please visit our commercial partner's service for further trial.)

Commercial Partner: https://scantist.io/

DTResolver has been released as part of source code scans for Node.js projects, and DTReme is under secondary development for better service and coming soon, stay tuned!

We have temporally deployed our tools on a cloud server (unavailable now), and please access the tools with the following restful APIs.

Note:

The deployed DVGraph for these restful APIs are generated in the middle of July 2021, the result of resolved dependency trees could be a bit different from the installed dependencies when you try to compare due to newly released library versions not being captured.

Because our tools are now integrated as part of a commercial tool from our anonymous industry partners, we will replace this cloud deployment with the official free access link of our tools after our paper gets accepted.

Generally, we have provided 6 restful APIs for 3 main functionalities (xxxRels means return the dependency tree in the format of a list of single dependency relations):

dependencies & dependenciesRels:

These 2 APIs provide the ability to calculate the dependency trees of a given package, and the time is treated as the latest time of DVGraph.

timedependencies & timedependenciesRels:

These 2 APIs provide the ability to calculate the dependency trees for a given package at any previous time (can not be earlier than its release time).

cleantree & cleantreeRels:

These 2 APIs provide the ability to calculate the remediated dependency trees for a given package.

Here we present the restful APIs with an example of conventional-changelog-angular@5.0.6, which is released on 2019-11-07T08:26:46.897Z

API of dependencies:

Curl command:

curl --location --request GET '114.119.186.219:58000/dependencies' \

--header 'Content-Type: application/json' \

--data-raw '{

"name":"conventional-changelog-angular",

"vendor":"",

"platform":"NPM",

"version":"5.0.6"

}'

Output (simplified for presentation)

{

"root": {

"libraryName": "conventional-changelog-angular",

"version": "5.0.6",

"dependenciesList": [

{

"libraryName": "compare-func",

"version": "1.3.4",

"dependenciesList": [

{

"libraryName": "array-ify",

"version": "1.0.0",

"dependenciesList": []

},

{

"libraryName": "dot-prop",

"version": "3.0.0",

"dependenciesList": [

{

"libraryName": "is-obj",

"version": "1.0.1",

"dependenciesList": []

}

]

}

]

},

{

"libraryName": "q",

"version": "1.5.1",

"dependenciesList": []

}

]

}

API of dependenciesRels:

Curl Command:

curl --location --request GET '114.119.186.219:58000/dependenciesRels' \

--header 'Content-Type: application/json' \

--data-raw '{

"name":"conventional-changelog-angular",

"vendor":"",

"platform":"NPM",

"version":"5.0.6"

}'

Output

[

{

"srcId": "conventional-changelog-angular:5.0.6",

"destId": "compare-func:1.3.4"

},

{

"srcId": "conventional-changelog-angular:5.0.6",

"destId": "q:1.5.1"

},

{

"srcId": "compare-func:1.3.4",

"destId": "array-ify:1.0.0"

},

{

"srcId": "compare-func:1.3.4",

"destId": "dot-prop:3.0.0"

},

{

"srcId": "dot-prop:3.0.0",

"destId": "is-obj:1.0.1"

}

]

API of timedependencies:

Curl Command:

curl --location --request GET '114.119.186.219:58000/timedependencies' \

--header 'Content-Type: application/json' \

--data-raw '{

"name":"conventional-changelog-angular",

"vendor":"",

"platform":"NPM",

"version":"5.0.6",

"time":"2020-01-01T00:41:37.762Z"

}'

Output (Simplified for presentation)

{

"root": {

"libraryName": "conventional-changelog-angular",

"version": "5.0.6",

"dependenciesList": [

{

"libraryName": "compare-func",

"version": "1.3.2",

"dependenciesList": [

{

"libraryName": "array-ify",

"version": "1.0.0",

"dependenciesList": []

},

{

"libraryName": "dot-prop",

"version": "3.0.0",

"dependenciesList": [

{

"libraryName": "is-obj",

"version": "1.0.1",

"dependenciesList": []

}

]

}

]

},

{

"libraryName": "q",

"version": "1.5.1",

"dependenciesList": []

}

]

}

API of timedependenciesRels:

Curl Command:

curl --location --request GET '114.119.186.219:58000/timedependenciesRels' \

--header 'Content-Type: application/json' \

--data-raw '{

"name":"conventional-changelog-angular",

"vendor":"",

"platform":"NPM",

"version":"5.0.6",

"time":"2020-01-01T00:41:37.762Z"

}'

Output

[

{

"srcId": "conventional-changelog-angular:5.0.6",

"destId": "compare-func:1.3.2"

},

{

"srcId": "conventional-changelog-angular:5.0.6",

"destId": "q:1.5.1"

},

{

"srcId": "compare-func:1.3.2",

"destId": "array-ify:1.0.0"

},

{

"srcId": "compare-func:1.3.2",

"destId": "dot-prop:3.0.0"

},

{

"srcId": "dot-prop:3.0.0",

"destId": "is-obj:1.0.1"

}

]

API of cleantree:

Curl Command:

curl --location --request GET '114.119.186.219:58000/cleantree' \

--header 'Content-Type: application/json' \

--data-raw '{

"name":"conventional-changelog-angular",

"vendor":"",

"platform":"NPM",

"version":"5.0.6"

}'

Output (Simplified for presentation)

{

"root": {

"libraryName": "conventional-changelog-angular",

"version": "5.0.6",

"dependenciesList": [

{

"libraryName": "compare-func",

"version": "1.3.3",

"dependenciesList": [

{

"libraryName": "array-ify",

"version": "1.0.0",

"dependenciesList": []

},

{

"libraryName": "dot-prop",

"version": "5.3.0",

"dependenciesList": [

{

"libraryName": "is-obj",

"version": "2.0.0",

"dependenciesList": []

}

]

}

]

},

{

"libraryName": "q",

"version": "1.5.1",

"dependenciesList": []

}

]

}

API of cleantreeRels:

Curl Command:

curl --location --request GET '114.119.186.219:58000/cleantreeRels' \

--header 'Content-Type: application/json' \

--data-raw '{

"name":"conventional-changelog-angular",

"vendor":"",

"platform":"NPM",

"version":"5.0.6"

}'

Output

[

{

"srcId": "conventional-changelog-angular:5.0.6",

"destId": "compare-func:1.3.3"

},

{

"srcId": "conventional-changelog-angular:5.0.6",

"destId": "q:1.5.1"

},

{

"srcId": "compare-func:1.3.3",

"destId": "array-ify:1.0.0"

},

{

"srcId": "compare-func:1.3.3",

"destId": "dot-prop:5.3.0"

},

{

"srcId": "dot-prop:5.3.0",

"destId": "is-obj:2.0.0"

}

]

Typically, there is a dependency path (conventional-changelog-angular:5.0.6-> compare_func:1.3.2->dot-prop:3.0.0) that introduce a vulnerability (CVE-2020-8116 ) in the dependency tree of conventional-changelog-angular:5.0.6 when this package is released.

Luckily, the owner of compare-func changed the dependency relation from "dot-prop: ^3.0.0" to "dot-prop: ^5.1.0" in the release of compare-func:1.3.3, which can be resolved to a new clean version (dot-prop:5.3.0). However, somehow this dependency relation was changed back to "dot-prop: ^3.0.0" in compare-func:1.3.4, which makes the downstream users of compare-func suffer the vulnerable threats again afterward.

There is no patch version for dot-prop:3.x.x, and traditional remediation tools that only remediate on vulnerable points (i.e., npm audit fix) can not fix it.

For such cases, our DTReme remediates this vulnerability by rolling back the parent package of "dot-prop" and selecting to install compare-func:1.3.3 to avoid the vulnerability being installed.