Quick-tip: Scan your R library for security threats

Using the package

You can install the package from CRAN as such:

install.packages("oysteR")

Load the package and check your library using the audit_deps() function.

library(dplyr)
library(oysteR)

check_lib <- audit_deps(verbose = FALSE)

The function audit_deps() calls installed.packages(), splits the list of packages into batches, and checks the OSS Index API for known vulnerabilities.

If you set verbose = TRUE (the default), the messages tells you how many packages were scanned, how many were found in the Index, and how many contain known vulnerabilities.

To see the identified vulnerabilities you can use the function get_vulnerabilities().

get_vulnerabilities(check_lib)

## # A tibble: 2 x 13
##   package version oss_package description reference cvss_id cvss_title
##   <chr>   <chr>   <chr>       <chr>       <chr>     <chr>   <chr>     
## 1 widget… 0.3.1   pkg:cran/w… "widgetfra… https://… 240d04… OSSINDEX-…
## 2 xgboost 1.2.0.1 pkg:cran/x… "xgboost: … https://… 4dae2e… OSSINDEX-…
## # … with 6 more variables: cvss_description <chr>, cvss_score <chr>,
## #   cvss_vector <dbl>, cvss_cwe <chr>, cvss_reference <chr>,
## #   no_of_vulnerabilities <int>

As you can see, in my library {oysteR} found vulnerabilities for {xgboost} and {widgetframe}.

The next step would be to check the OSS Index for what type of vulnerability it found, and consider what to do about it. Often updating to the latest version of the package could be enough, other times it might be advisable not to use the package at all, especially not in external applications.

And for the Pythonistas?

The Python library jake provides the same functionality for Python by checking packages in your Conda environment.