Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

Check out this video for a high-level explanation:

Using Known Vulnerable Components

Updating Vulnerable libraries

Option A: Manually updating the dependency

  1. Look at the vulnerable component in the GuardRails PR comment.
  2. Identify the right package in the packages.config or *.csproj.
  3. Change the version of the related package to reflect the patched version.
  4. Test to verify that the upgrade doesn't break the app.
  5. Ship it 🚢 and relax 🌴

Option B: Updating the dependency via Nuget

  1. Look at the vulnerable component in the GuardRails PR comment.
  2. Perform either of the following,
    • Package Manager UI: On the Updates tab, select one or more packages and select Update.
    • Package Manager console: Run the Update-Package command
    • nuget.exe CLI: Run nuget.exe update on the command line.
  3. Verify that the affected packages have been updated to reflect the patched version.
  4. Test to verify that the upgrade doesn't break the app.
  5. Ship it 🚢 and relax 🌴

More information

Insecure Use of SQL QueriesOverview