Wikimedia Security Team/Third Party Code Review Checklist

From mediawiki.org

Here are some basic items the Security Team will check when reviewing third party packages and libraries. This should not be thought of as an exhaustive list and if time permits, more rigorous reviews of third party code are certainly recommended.

  1. Check for number and most recent dates of contributions to code, along with number of active developers.
  2. Check for current usage statistics of code, if available. i.e. how many downloads, by who, etc.
  3. Check for published security issues, especially open issues on project github or similar pages.
  4. Check for current, accurate method of reporting security vulnerabilities to a project. Get a sense of how responsive developers are, if possible.
  5. Check for published vulnerabilities within various databases:
    1. NIST vulns: https://nvd.nist.gov/search
    2. snyk: https://snyk.io/vuln
    3. language-specific tools:
      1. PHP - https://github.com/sensiolabs/security-checker
      2. PHP - https://github.com/FriendsOfPHP/security-advisories
      3. JS - https://docs.npmjs.com/cli/audit
      4. JS - https://docs.npmjs.com/cli/outdated.html
      5. JS - https://retirejs.github.io/retire.js/
  6. Static analysis, if feasible.
    1. PHP - https://github.com/FloeDesignTechnologies/phpcs-security-audit
    2. PHP - https://github.com/phan/phan which includes phan-taint-check-plugin if you use the MediaWiki config

(note: many of the checks above are contained/automated within the php-security-tools toolkit)