Vulnerability Lookup Service is a tool to identify potential security vulnerabilities in external packages. This service will provide information of known vulnerabilities available on the internet.
The primary use of the VLS is to help organizations and individuals stay informed about the latest security threats and security posture of the application. By regularly scanning dependency file/s that contains packages used in a particular project against a vulnerability database, users can identify any known vulnerabilities that may be exploited by malicious actors.
-
Multiple Package Ecosystem scan support: VLS can scan external packages for vulnerabilities across multiple ecosystems. Currently supported ecosystems are NPM/Javascript, PyPI/Python, Maven/Java, Crates.io/Rust, Go/Golang with support for other ecosystems underway.
-
Single Package & Full File Scan support Using VLS, a user can scan for selected packages in the dependency file or the full file via actions available in right-click options.
-
Configurable Severity filter: User can configure minimum severity of vulnerabilities that is to be flagged.
VLS VSCODE extension also requires the VLS-API to run in your environment.
Build and Run VLS API
VLS API is available as a docker container. To build and run the VLS-API, follow these steps
-
Clone VLS-API from here
-
Build VLS docker image using
docker build -t iss-lab/vls-api . -
Run the docker container
docker run -d -p 3000:3000 iss-lab/vls-api -
VLS-API will now be accessible via
http://localhost:3000/
Install VLS Extension
The Extension is packaged as a VSIX file available in the build/ folder of this repository which can be installed using either of the following ways:
- Using "Install from VSIX" option available in the extensions sidebar in VSCODE. The option will be available on clicking the three dots ("Views and more actions") in the extensions sidebar on the top.
- Using the below command to install the extension from the specified .vsix file.
code --install-extension path/to/extension.vsixVLS can be configured via options that are available in the "User Settings" in VSCODE under the VLS heading. Configuration options are documented below:
- VLS: API URL - The HTTP/HTTPS URL of your VLS-API (Default - http://localhost:3000)
- VLS: Severity - Dropdown to configure minimum severity of vulnerabilities to show.
- VLS: Show all packages - Checkbox to show all packages including the non-vulnerable ones.
VLS can scan packages from known dependency files like package.json/package-lock.json/requirements.txt/go.mod/build.gradle/pom.xml/cargo.toml/cargo.lock.
For single package: Select the name of the package, right-click and select Lookup Vulnerability for Package option.
For file: Right-click on the file and select Lookup Vulnerability in File option.
You can view the Vulnerable packages in a tab called VULNERABLE PACKAGES which is next to terminal in the bottom panel on VSCODE.
Currently VLS only supports direct version scans and does not infer versions.
For Example in Python/requirements.txt file, only packages with no version or with ==version can be scanned. Packages with versions like >=version etc. will not be scanned and will be shown as (Package cannot be scanned) in the result panel.
For packages with no version being specified, results of all versions will be displayed.