Scan your R library for security threats

Use {oysteR} to scan your R library for known vulnerabilities in the OSS Index
R
security
Published

December 30, 2024

Note

Note that this post was originally written in 2020. I have only made minor changes to the post before reposting.

A couple of weeks ago I came across the {oysteR} package which aims to “secure your R projects against insecure dependencies”. It does this by scanning you R library and checking it against the OSS Index by Sonatype.

The OSS Index is a free catalogue used to determine if there are any known, publicly disclosed, vulnerabilities in your open source dependencies. It contains a list of most libraries from ecosystems such as CRAN and Conda, and whether there are known vulnerabilities or not.

Using the package

You can install the package from CRAN as such:

install.packages("oysteR")

Load the package and check your library using the audit_installed_r_pkgs() function.

check_lib <- oysteR::audit_installed_r_pkgs(verbose = FALSE)

If you set verbose = TRUE (the default), the messages tells you how many packages were scanned, how many were found in the Index, and how many contain known vulnerabilities.

To see the identified vulnerabilities you can use the function get_vulnerabilities().

oysteR::get_vulnerabilities(check_lib)
# A tibble: 0 × 14
# ℹ 14 variables: package <chr>, version <chr>, type <chr>, oss_package <chr>,
#   description <chr>, reference <chr>, cvss_id <chr>, cvss_title <chr>,
#   cvss_description <chr>, cvss_score <chr>, cvss_vector <dbl>,
#   cvss_cwe <chr>, cvss_reference <chr>, no_of_vulnerabilites <int>

As you can see, in my library {oysteR} did not find vulnerabilities.

Here is an example of a package with known vulnerabilities - an older version of {readxl}:

# We can check single packages with `audit()`
oysteR::audit("readxl", version = "1.0.0", type = "cran", verbose = FALSE)
# A tibble: 1 × 8
  package version type  oss_package        description reference vulnerabilities
  <chr>   <chr>   <chr> <chr>              <chr>       <chr>     <list>         
1 readxl  1.0.0   cran  pkg:cran/readxl@1… "readxl:  … https://… <list [5]>     
# ℹ 1 more variable: no_of_vulnerabilities <int>

If we do find any vulnerabilities in our dependenceis, the next step would be to check the OSS Index for what type of vulnerability it found, and consider what to do about it. Often updating to the latest version of the package could be enough, other times it might be advisable not to use the package at all, especially not in external applications.

And for Python?

The Python library jake provides the same functionality for Python by checking packages in your Conda environment.