What is the response time on new threats? about devskim HOT 2 CLOSED

At the moment DevSkim doesn't have a robust story for scanning project dependencies for known security issues - it currently is just doing vulnerable pattern analysis of source code. We are designing/prototyping different approaches to analyzing manifest and project files for known vulnerable (or abandoned/deprecated) dependencies. Since we are still designing that we are a fair ways out for being able to talk about what our response time would eventually be when a new bulletin is released (though ideally we would be feeding off of NVD or other vuln feed, and able to automatically update as soon as details are available from whatever feed we use). As a stop gap, I'll talk with @scovetta about a much more immediate (and fairly hard coded) solution for the advisory above.

I would encourage you to also open an issue under the Roslyn Analyzers (or respond to Barry's advisory post asking for an analyzer). It would really behoove the .Net community to have a built in analyzer that at the very least alerted when using a built in component that has a bulletin issued for it (if you are unfamiliar with Roslyn, its the .Net compiler. It supports analyzers that expand its analytic capabilities beyond just syntax errors, and as it is the compiler, its incredibly easy to integrate into CI builds since it is already part of the build. Here are more details and links to some security relevant analyzer, ). The .Net Security Guard project might also be interested in adding a dependency checker to their Roslyn analyzer package

from devskim.

Closing stale issues.

from devskim.