WhiteSource report released analysing the node package managers (NPMs) vulnerabilities discovered that over 90% of vulnerabilities in npm packages are fixed before the vulnerability is published on the National Vulnerability Database (NVD). That means that with the right tools and processes in place, developers can potentially install a fix before a security vulnerability is publicised, which ideally means before any black hat hackers are aware of it.
Fixing a security vulnerability by installing a fix before it is even publicly acknowledged is the best way to ensure that the attack window is never opened in the first place. In cases when a vulnerability is known to attackers but not yet publicly disclosed, the attack window is even larger than previously expected, and requires a swift and effective fix.
When the company had looked at the distribution of the fix date vs. the date the new CVE was published, over half of the vulnerabilities have a fix available up to a month before the vulnerability was published on the NVD, and 85% of vulnerabilities are fixed a day or more before the issue is published. Some are even fixed a year or more before the issue is published.
WhiteSource report had found that most of the vulnerable packages could have been addressed well before the issue was published on the NVD. The data collected, shows that a total of 83% of the CVEs that were most prevalent in projects could be fixed before the publication of the CVE, when they become common knowledge to all users, and become a risk.
Data regarding fix dates vs. CVE publication dates shows that in most cases developers can fix security vulnerabilities even before they are published on the NVD. The problem is that manual tracking of CVE’s or released fixes of vulnerable open source components is virtually impossible.
The company said, WhiteSource Renovate helps developers integrate automated fix pull requests in the development environment, to ensure that fixes are implemented as soon as they are released.