Some time ago we at Mechanical Ink did some research into the performance and security of some of the most used sites in South Africa.
While doing this research we ran into a couple of trends. Two of these relate to front-end libraries and frameworks. We found that:
- Many sites included multiple versions of the same library. jQuery and jQuery UI are the most common culprits here.
- A lot of sites are running versions of these libraries that have known vulnerabilities and, more often than not, known mediations.
Very few site owners will do any of this knowingly, especially large sites such as the ones we tested. This leads us to believe that it is simply a case of a lack of insight and the demands of running a modern website that leads to these outcomes.
What if there was a website you could enter your website URL into and get a report of the frontend dependencies you are using, whether any of them have known vulnerabilities and, provide links to the security advisory?
And so, vulnerability-alert.com was born. Below is a screenshot showing an example of the report you might get when entering your website URL.
It lists the vulnerable libraries and frameworks, displays the vulnerability count, highest severity, and a link to the relevant security advisory on Snyk.io
Below this, it also lists all the dependencies it found along with their version number irrespective of vulnerability status.
We use Lighthouse on the backend to do the analyzing and Vuejs on the frontend to build out the UI and report. And of course, as mentioned before, we link to Snyk.io where people can read more about the security issue and find ways to resolve and mitigate this in the future.
We have many more ideas for what this can be but, we think this is already useful in its current iteration. The code is open-source on Github(see below) and we welcome your feedback.