Does SCA detect malware? (sometimes but, 2024 edition)

Does SCA detect malware? (sometimes but, 2024 edition)

Recently, I was asked recently if Software Composition Analysis (SCA) tools detect malware. I had seen some evidence it does, but I thought I’d try out a recent case looking at @solana/web3.js (thanks Paul McCarty for bringing it to my attention).

TLDR (Too Long Didn’t read):

• It appears npm removes all references to a malware version (with no warning on lookup)
• SCA did detect this specific package with known malware
• Post malware clean up of a library, it’s harder to identify if it was vulnerable
• Packages are removed (for good reason), but search results are typically a generic NOT found rather than this package was exploitable.

The methodology used was simple and took about 30 minutes:

• Create a valid package.json (manually)
• Create a private GitHub repo and add the package.json
• Use Snyk to identify if vulnerable (command line only)
• Use trivy to identify if vulnerable (command line only)

I did NOT do an npm install, as this would most likely run the malware, however, this would failed anyway as the package had been removed from npm.

Here are the quick “findings” based on 30 minutes of playing around:

• Github Dependabot created an alert on checking the package.json into the code
• Trivy found the vulnerability in a package-lock.json but NOT the package.json
• Snyk found the vulnerability in a package-lock.json but NOT the package.json

Running snyk on the vulnerable package with:

snyk test @solana/web3.js@1.95.7

Resulted in a not found, rather than this was exploitable

Looking at the vulnerable NPM package on NPM itself https://www.npmjs.com/package/@solana/web3.js/v/1.95.7
resulted in a not found, as it had been removed (a reliable source told me).

A developer may get more vague information on packages affected by Malware. Libraries with vulnerabilities are still findable, those with malware seem to be removed.

In some quick Q&A slack conversations, Malware in libraries appears to be handled differently.

There’s current thinking that everyone should have an organisation-wide open source inventory capability so we can solve use cases at an organisation level like:

• are we using library X?
• What versions are we using? (because a.b.c has malware)

Parting thoughts

I’ll need to do a broader analysis of a few more use cases with different package managers.

It does look like there is some SCA coverage of malware, BUT two knowledgeable people I spoke with indicated there are challenges.

Given your code repositories, how easy is it to find all the usages of a vulnerable package?

What’s been your experience with malware in libraries versus vulnerabilities?