Automate finding vulnerabilities in dependencies in Horizon + SDKs

[tomquisel]

Keeping Horizon + SDKs secure is extremely important.

We should set up npm audit (for JS) and similar tools to run automatically during our workflow. Maybe an automated daily checker is the way to go. @brahman81 do you have any checkers like this already set up for other projects?

[MarinX]

I use SonarQube
It provides a nice report and solution for common mistakes.

For example, running stellar-go project, it shows:

[brahman81]

@tomquisel apart from Githubs vulnerability Alerts, we do not have anything like this in place but @MarinX 's suggestion of SonarQube looks promising.

It would be interesting to evaluate other solutions, GH maintains a page with alternatives:

https://github.com/marketplace/category/security

[vcarl]

Snyk and SourceClear look promising, very similar to npm audit in that they check dependencies for known issues (vs scanning code).

gosec also looks to be a linter for security vulnerabilities, doesn't seem to be related to dependencies. I'm skeptical of scanning code for vulnerabilities though. I know "fuzzing" is a powerful way to test for issues (security and otherwise), may be worth investigating further.