DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Kata Containers: From Kubernetes Pods to Secure VMs
  • Buildpacks: An Open-Source Alternative to Chainguard
  • Why We Use FreeBSD Over Linux: A CTO’s Perspective
  • How Open Source Project Tetragon Is Evolving Security via eBPF

Trending

  • Blue Skies Ahead: An AI Case Study on LLM Use for a Graph Theory Related Application
  • Java's Quiet Revolution: Thriving in the Serverless Kubernetes Era
  • Scalability 101: How to Build, Measure, and Improve It
  • Fixing Common Oracle Database Problems
  1. DZone
  2. Coding
  3. JavaScript
  4. Node.js Security: The License and Security Risks of Using Node.js

Node.js Security: The License and Security Risks of Using Node.js

Why open source software could make your application open for exploitation.

By 
Rich Kosinski user avatar
Rich Kosinski
·
Gary Armstrong user avatar
Gary Armstrong
·
Aug. 29, 19 · Opinion
Likes (4)
Comment
Save
Tweet
Share
11.1K Views

Join the DZone community and get the full member experience.

Join For Free

green-open-sign-on-wooden-door-white-font

Open source software could make your application open for exploitation

Open source software now dominates application development. Open source represented 60% of the code analyzed during Black Duck Audits in 2018, up from 57% in 2017 and 35% in 2016.

When a codebase contains open source software, it takes advantage of development work that someone else has already completed for free. But an application using a component doesn’t inherit just its features; it also inherits any licensing and security issues lurking in the component. Companies using open source code need to make sure they comply with the legal terms under which that code is released, and they need to know whether that code contains any vulnerabilities.

The Black Duck Audit Services team conducts open source software audits on thousands of codebases for its customers each year, primarily as part of merger and acquisition due diligence. During these audits, we find thousands of license and security risks in open source code in our customers’ codebases. So let’s talk about some of the open source license and security risks that come with using Node.js, one of the most popular JavaScript runtime environments.

Node.js

According to the Node.js website: “Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world. As an asynchronous event-driven JavaScript runtime, Node is designed to build scalable network applications.”

Node.js is becoming more widespread because it enables the use of server-side JavaScript. JavaScript is arguably the most popular programming language right now because of its scalability, performance, and ease of use. Traditionally, JavaScript was used for client-side front-end web development. The scripts were embedded in the HTML, and the JavaScript engine in the client’s web browser handled the rest. However, thanks to Node.js, JavaScript functionality has been extended to the server-side.

The JavaScript community has grown at an impressive rate. On GitHub, more repositories are created in JavaScript than in any other language. The growth of this open source community has led to the wide adoption of server-side JavaScript with Node.js. This, in turn, has affected open source use in our customers’ codebases. JavaScript applications tend to be heavy with open source code. Thus, as the use of JavaScript in application development increases, so does the use of open source software.

Npm and Potential Security Risks

Npm, the default package manager for Node.js, is one of the largest open source package ecosystems in the world. This rich ecosystem of open source packages has led to an increase in developer productivity and application performance, which is a win-win scenario for development organizations.

Node.js codebases often contain hundreds or even thousands of npm packages. Developers may be unaware of the packages’ direct and indirect dependencies and the security risks associated with them.

Npm began focusing on security in 2018 when they released npm audit, a new command that performs a moment-in-time security review of a project’s dependency tree and produces an npm audit security report. The report contains information about security vulnerabilities in the dependencies and provides npm commands and recommendations for further troubleshooting. The big question is whether companies are looking at the list of security vulnerabilities and managing them appropriately.

Why Do so Many Node.js Projects Have Security Risks?

Many of the organizations that the Black Duck Audit Services team works with have internal security programs and deploy security testing tools, such as static analysis and dynamic analysis. While those tools are useful for identifying common coding errors that may result in security issues, they have proven ineffective at identifying vulnerabilities that enter code through open source components. For example, 12% of codebases using the Node.js frameworkS in 2018 included the Robot vulnerability, over 3% included the Drown vulnerability, and over 2% included Freak. And 1.6% of the codebases even contained the Poodle vulnerability, which was publicly disclosed in 2014.

Why Do so Many Node.js Projects Have License Risks?

Many automated tools that identify open source components in technologies like Node.js do so by analyzing the package manager index files that describe the dependencies in the project. But this cursory list of components and licenses doesn’t account for open source reuse, which is a common occurrence. The open source community reuses open source projects for the same reasons as organizations do: to speed development, incorporate functionality, and decrease time to market. Thus, both commercial and open source developers can introduce code snippets, functions, methods, and operational pieces of code into files.

For that reason, many Node.js projects contain licensing terms other than the license that governs Node.js; on average, 20% of the codebases we audited in 2018 that used the Node.js framework contained hidden reciprocally licensed components. In other words, Node.js uses additional open source content governed by licensing that may be incompatible with commercial use.

The following are examples of open source components that we found in projects using the Node.js framework. Each of these components could pose a license risk as a result of hidden reciprocal components or licenses. Failure to comply with the open source licenses associated with hidden components could put a business at risk of litigation and compromising of an IP.

Component

License

Potential conflicts

js-dom

(npm) (GitHub)

MIT

The default-stylesheet included with this open source component is copied from Blink, the rendering engine used by Chromium, which is licensed under LGPL 2.0 or later.

tough-cookie

(npm) (GitHub)

BSD 3-clause

Up until 2.3.4, this component included Public Suffix List, which is licensed under MPL 2.0.

seek-bzip

(npm) (GitHub)

MIT

Before 1.0.5, this component was licensed under LGPL 2.1 or later.

This component could pose a license risk as the LGPL 2.1 or later license and copyrights are still in the file ‘index.js’. The change of license was a result of upstream packages relicensing their open source components. But were all versions of the upstream packages relicensed? And why is the license still in the files?

react-native

(npm) (GitHub)

MIT

The file ‘DisplayMetricsHolder.java’ uses code that has been published on Stack Overflow, which is licensed under Creative Commons Attribution-ShareAlike 3.0.

adm-zip

(npm ) (GitHub)

MIT

Up until July 2018, this component included ‘js-deflate’ in the file ‘deflater.js’, which is licensed under GPL 2.0 or later.


Deep Dive Node.js Packages Are Completely Necessary

In conclusion, it should be evident that a framework like Node.js requires a deeper dive into the actual source of a package than many automated tools provide. You should learn more about the dependencies of the open source packages in your Node.js applications and the hidden snippets that could place legal restrictions on those packages.

While some organizations are working to address the vulnerability concerns in open source JavaScript packages, much of that work focuses on issues reported to the National Vulnerability Database (NVD). 

Node.js Open source security

Opinions expressed by DZone contributors are their own.

Related

  • Kata Containers: From Kubernetes Pods to Secure VMs
  • Buildpacks: An Open-Source Alternative to Chainguard
  • Why We Use FreeBSD Over Linux: A CTO’s Perspective
  • How Open Source Project Tetragon Is Evolving Security via eBPF

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!