Using Vulnerable Libraries
Why is this important?
Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.
Check out this video for a high-level explanation:
Updating Vulnerable libraries
Option A: Manually updating the dependency
- Look at the vulnerable component in the GuardRails PR comment.
- Identify the right
package
in thepackages.config
or*.csproj
. - Change the
version
of the relatedpackage
to reflect the patched version. - Test to verify that the upgrade doesn't break the app.
- Ship it 🚢 and relax 🌴
Option B: Updating the dependency via Nuget
- Look at the vulnerable component in the GuardRails PR comment.
- Perform either of the following,
- Package Manager UI: On the Updates tab, select one or more packages and select Update.
- Package Manager console: Run the
Update-Package
command - nuget.exe CLI: Run
nuget.exe update
on the command line.
- Verify that the affected
packages
have been updated to reflect the patched version. - Test to verify that the upgrade doesn't break the app.
- Ship it 🚢 and relax 🌴
More information
- OWASP TOP 10 Reference: Using Components with Known Vulnerabilities