GitLab’s open source Package Hunter detects malicious code in dependencies

Let the OSS Enterprise newsletter guide your open source journey! Sign up here.

GitLab recently launched a new open source tool to detect malicious code in software components.

Modern software depends on dozens or hundreds of third-party packages, some which may not be actively maintained or monitored for vulnerabilities. Package Hunter, which integrates directly with GitLab’s continuous integration (CI) platform, runs a project’s dependencies in a siloed testing environment known as a sandbox, and leverages “dynamic behavior analysis” to spot malicious packages that attempt to extract sensitive data or otherwise run unintended code.

“Any suspicious system calls are reported to the user for further examination,” GitLab security research Dennis Appelt wrote in a blog post.

Pros and cons

While the benefits of open source software are well understood, the vast majority of codebases contain at least one known open source vulnerability, according to a recent Synopsys report. Another report also concluded that more often that not, developers don’t bother updating third-party libraries they use in their software.

However, the growing scourge of so-called supply chain attacks, which target businesses by exploiting vulnerabilities in “trusted” third-party hardware and software, has seemingly accelerated industry efforts to bolster defenses against threats like those that emerged in the high-profile infiltration of IT infrastructure company SolarWinds. That attack opened access to sensitive data at thousands of organizations from Microsoft to government agencies.

Google recently introduced a new end-to-end framework for “ensuring the integrity of software artifacts throughout the software supply chain,” which is essentially certification levels that verify what security processes a particular open source software package has in place. The internet giant also launched the Open Source Vulnerabilities database to improve vulnerability triage for developers.

GitLab quietly announced Package Hunter back in December and has been running the prototype internally since. But as of July 23, the company has made it available under a permissive MIT license for anyone to use.