Test & DownloadSupport
    You are here:  
  1. HOME
  2. FAQ
  3. Documentation
  4. Administrator documentation
  5. Threat monitoring
  6. Vulnerabilities
  7. How does the YetiForce system detect vulnerabilities?

How does the YetiForce system detect vulnerabilities?

The tool checks if there are any vulnerabilities in external libraries that need to be removed. The functionality requires an internet connection as it sends information from composer.lock to an external service. The built-in security mechanism in the current version connects to the dedicated YetiForce Security service (https://security.yetiforce.com).

Description

The vulnerability detector currently verifies on the worldwide CVE database:

  • some of the external libraries used by the CRM system (e.g. libraries written in PHP),
  • vulnerabilities for the used version of PHP,
  • vulnerabilities for the webserver (Apache, Nginx),
  • vulnerabilities for libraries on the server: OpenSSL,
  • vulnerabilities for SQL engine (MySql, MariaDB).

Ultimately, the system will be able to verify all external libraries regardless of technology. We also plan to detect vulnerabilities in applications installed on the server, e.g. IMAP, PGP, etc.

Even though the application can only verify some libraries by default, the producer, checks for vulnerabilities in all libraries using tools such as https://snyk.io/, https://security.symfony.com/, https://depfu.com/, https://blackducksoftware.com/, https://david-dm.org/, https://sonarcloud.io/ and many other applications. 

Vulnerability Panel

Searching for vulnerabilities is performed automatically, after accessing the tool (System settings → Security → Vulnerability detection) the system sends over the following information to https://security.yetiforce.com:

  • CRM’s APP ID - the service is only available for registered systems,
  • PHP version,
  • operating system version (https://www.php.net/manual/en/function.php-uname.php),
  • information about SQL engine,
  • names, versions, update time of external libraries used in CRM.

The system will display a list of detected vulnerabilities along with detailed information about them:

2021-06-24_09-16-56.png

If no vulnerabilities were found, the following message will be displayed:

2021-06-21_13-35-45.png

YetiForce Security Dependency Check

The security.yetiforce.com vulnerability detection mechanism operates on the official CVE based vulnerability database available at https://github.com/FriendsOfPHP/security-advisories

System Warnings

Vulnerability detection is also performed in the "System warnings" panel - the system regularly checks security gaps and informs the administrators about any potential threats that need to be dealt with.

2021-02-22_10-03-39.png

Related Links

  • Written by: Mariusz Krzaczkowski
  • Saturday, 18 July 2020