React Native - How to create a correct Dependency Check / Vulnerability Report and handle it?

Question

How to correctly create a dependency check (vulnerability report) for a react native app?

If I run "npm install" then automatically an information for "npm audit" is shown. For the following examples I've used a new created project with React Native CLI using RN 0.63.2

"npm audit" shows only 3 low vulnerabilities (node-fetch):

npm audit excerpt of output

Retire.js don't give any vulnerability (may be misconfigured, still trying to figure it out).

However, using DependencyCheck by jeremylong (https://github.com/jeremylong/DependencyCheck) it gives 132 vulnerabilities from 72 vulnerable dependencies. Excerpt:

Scan Information (show all):
 dependency-check version: 6.0.1
 Report Generated On: Sun, 20 Sep 2020 22:25:28 +0200
 Dependencies Scanned: 15319 (11276 unique)
 Vulnerable Dependencies: 72
 Vulnerabilities Found: 132
 Vulnerabilities Suppressed: 0
 ...

It looks like DependencyCheck sums up multiple analyzer reports and because of that probably finds more then the previous tools but I'm still wondering about the amount (132 vulnerabilities vs. only 3). Does "npm audit" may better be able to check if those vulnerabilities are even valid for RN? Or would I have to check all those 132 vulnerabilities manually if they apply to my React Native application and fix them (if possible)? And with that there I've already have another question: some vulnerable dependencies come from react-native-cli. I can't find it anywhere but this should not be included in a production app since it is the commandline interpreter tools used during development, isn't it? Is there any documentation (I couldn't find any) that gives hints about which dependencies are only for dev and would not be in production?

Any help would be appreciated.

Answer 1

The following steps can be followed to generate a report describing all the vulnerabilities found in the project:

1. Download the OWASP Dependency-Check CLI tool from their official website (https://owasp.org/www-project-dependency-check/)

2. Extract the downloaded zip file.

3. Open the command prompt/terminal and navigate to the directory where the .bat and .sh files are located.

4. For windows, run the following command after replacing the correct directories of your project:

    dependency-check.bat --project "<project_name>" --scan <folder containing 3rd party libraries> --out <folder to generate reports> --suppression <xml file containing suppressions>
   

5. For linux, run the following command after replacing the correct directories of your project:

    dependency-check.sh --project "<project_name>" --scan <folder containing 3rd party libraries> --out <folder to generate reports> --suppression <xml file containing suppressions>
   

Sample command:

dependency-check.bat --project demo-project --scan E:/GitlabRepo/react/test-project  --out E:/GitlabRepo/react/test-project/vulnerability-report

A report will be generated indicating all the relevant details of each vulnerability found in the project.

Answer 2

So anwering my own question here:

The tool DependencyCheck by jeremylong collected all vulnerabilities where the library names matched a string contained in the vulnerability. E.g. "@hapi/address:2.1.4" were listed by the tool but it was not in the dependency graph printed by NPM. But there was "hapijs". This occured many time and the only relevant findings were those already identified by npm with "npm audit".

So all others were simple "false-positives" but they had to be checked unfortunately one after another.