How to verify there is no malicious code in an opensource library?



  • I am planning to use an opensource library to my project instead of developing from scratch. How can I verify there is no malicious code in the library or someone cannot access my files?

    Currently Visual Studio code implements Workspace Trust and some extensions are disabled even though the extensions are licensed by a trusted source.

    I would like to know if all opensource libraries are getting licensed only after they properly verify the libraries.

    If I run some code and some other code runs in the background that is malicious, can I get alerts or if I call some function is there any possibility to post data to a different server? If yes how can I monitor it through some logs (e.g. access log for incoming connections)? I would like to monitor outbound transfer.



  • You'll need to go through the source code and decide for yourself if it's safe for your use or not. If you deem it as safe, you can compile the code yourself and deploy it (as the already compiled code might be different from the source code).

    how can i monitor it through some logs(e.g. example access log for incoming connections)? I would like to monitor outbound transfer and what data has transfered?

    There are different tools to do that. If you want to block the connections, you can use a firewall.

    But if you want to monitor the traffic, you can use tools like Wireshark to capture the packets and see what's incoming and what's outgoing.

    And as pointed out in comments by @Steffen, the licence does not guarantee any kind of bug/malice free code. What's bug or undesired feature for you, might be a necessary feature for other.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2