Skip to main content

Find vulnerabilities in Bower

You can scan any code repository to which you have access and meet the requirements.

Scan your code

To run an example scan, you can clone one of the public Veracode SCA repositories:

git clone https://github.com/veracode/example-javascript-bower

After you add a srcclr.yml file to the directory where you point the Veracode SCA agent, you can specify scan directives for scanning your Bower code. Some scan directives are specific to Bower projects.

Before you begin:

  • Meet the requirements for the Veracode SCA agent.
  • Have access to the Bower Repository
  • Have Bower installed on path.
  • Include the bower.json file in the repository to scan.
  • Be able to run bower install and bower list from the root of the project where you perform scans. For both commands, use the --allow-root flag when the user is the superuser (root) by setting the allow_root scan directive or the SRCCLR_ALLOW_ROOT environment variable to true.

The Veracode SCA agent runs a specific command to identify the dependencies and their versions in your project. You can run this command before scanning to test that the agent can build the project:

bower install
bower list --json

To complete this task:

At the command line, run the scan command pointed to the directory of the Yarn repository. For example:

srcclr scan path/to/{project_folder}

To scan code repositories hosted in Git, use the --url argument at the command line.

To view more verbose output during the scan process, add the --loud argument:

srcclr scan path/to/{project_folder} --loud

Results:

The Veracode SCA agent uses the native package managers to identify the dependencies and their versions in your project. When the agent evaluates the open source libraries in use, it produces a summary of the scan results. This summary includes counts for total libraries used, vulnerable libraries, percentage of third-party code, and a list of the vulnerabilities found.

Next steps:

After completing the scan, you can view the results.

Fix example direct vulnerability

When your configuration file specifically references a library, Veracode SCA refers to the library as a direct dependency.

These example steps provide a fix for a Cross-site Scripting (XSS) Through link-to Title Attribute vulnerability in Ember, version 1.2.0 in example-javascript-bower repository.

To complete this task:

  1. Add this line to the bower.json file in the root of the project:

    "ember": "1.2.2"

  2. To install Ember version 1.2.2, run:

    bower update ember

  3. Validate the fix.

Fix example transitive vulnerability

To fix a transitive library for Bower, override the transitive dependency by specifying how to resolve the dependency.

These steps provide a fix for a Cross-site Scripting (XSS) Vulnerability in the jquery library vulnerability in jQuery version 1.10.2 in the example-javascript-bower repository.

To complete this task:

  1. Add the appropriate version of jQuery to the bower.json file with a defined resolutions section:

    "dependencies": {
         ...
        "jquery": "1.12.0",
         ...
    },
    "resolutions": {
         ...
        "jquery": "1.12.0",
         ...
    }

  2. To download the updated jQuery library, run:

    bower update jquery

  3. Validate the fix.

Next steps:

After completing these steps, build, test, and rescan your project to ensure the fix succeeded.

Last updated on