Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

As a result, over 750 vulnerabilities were reported in Python packages.

Check out this video for a high-level explanation:

Updating Vulnerable Libraries

Option A: Manually update the packages

1. Look at the vulnerable package in the GuardRails PR comment.
2. Upgrade to the latest version of the affected package by running:

  # Install a specific non-vulnerable version
  pip install aiohttp==0.16.3
  # Upgrade a specific package to the latest version
  pip install aiohttp
  # Update the requirements.txt
  pip freeze > requirements.txt

3. Test to verify that the upgrade doesn't break the app.
4. Ship it 🚢 and relax 🌴

Option B: When no update is available

1. Look at the vulnerable package in the GuardRails PR comment.
2. If no update is available then you have 3 choices:
   • Remove the package if it's not needed
   • Replace the package with another one that doesn't contain vulnerabilities
   • Take a closer look at the vulnerability details and create a PR patching it.
3. Test to verify that your actions don't break the app.
4. Ship it 🚢 and relax 🌴

More information:

• OWASP TOP 10 Reference: Using Components with Known Vulnerabilities
• PIP Update Requirements - PUR