Vulnerability

Overview

Common Vulnerabilities and Exposures (CVEs) are publicly disclosed cybersecurity vulnerabilities. While CVEs are crucial for identifying vulnerabilities, they do not always cover malicious packages. Socket enhances security by detecting malicious packages early, sometimes even before a CVE is issued.

SeverityAlert TypeDescription
CriticalCritical CVEContains a Critical Common Vulnerability and Exposure (CVE).
HighHigh CVEContains a high severity Common Vulnerability and Exposure (CVE).
MediumMedium CVEContains a medium severity Common Vulnerability and Exposure (CVE).
LowLow CVEContains a low severity Common Vulnerability and Exposure (CVE)

Types of Scenarios with Malicious Packages

1. Malicious Package Detected, CVE Issued, and Package Removed

  • Description: Socket detects a malicious package, a CVE is issued, and the package is removed from public registries. This is rare since CVEs are typically for vulnerabilities, not malicious code, except in large-scale attacks.
  • Value to Business: Socket shortens remediation time by detecting malicious packages hours or days before a CVE is issued.

2. Malicious Package Detected, No CVE Issued, Package Removed

  • Description: This is the most common scenario. Socket detects a malicious package, no CVE is issued, and the package is removed from public registries.
  • Examples: Most packages listed in our threat feed.
  • Value to Business:
    • Detects malicious packages that SCA (CVE scanner) alone would miss.
    • Uncovers malicious packages mirrored in internal package mirrors (e.g., Artifactory) that continue to be used.

3. Malicious Package Detected, No CVE Issued, Package Not Removed

  • Description: Socket detects a malicious package, no CVE is issued, and the package remains in public registries.
  • Example: event-source-polyfill
  • Value to Business:
    • Identifies malicious packages that would never be discovered using SCA (CVE scanner) alone.
    • Detects malicious packages that remain in public registries and internal mirrors.

Additional Package Risk Factors

Beyond vulnerabilities and malicious code, Socket detects various package risk factors such as:

  • Unmaintained packages
  • Deprecated packages
  • Obfuscated code
  • Telemetry within packages

These detections provide comprehensive insights into the security and quality of dependencies, adding significant value to the business by addressing a broader spectrum of risks.