Using Vulnerable Libraries
Fixing Vulnerable Libraries
About Vulnerable Libraries
What are Vulnerable Libraries?
Vulnerable libraries are software components or modules that contain known security vulnerabilities that can be exploited by attackers. Libraries are typically pre-written code that is designed to perform specific functions or tasks and can be used by developers to build their own applications.
Vulnerable libraries can be introduced in various ways, such as outdated or unsupported libraries, libraries with known security issues, or libraries that have been modified by third-party developers.
Check out this video for a high-level explanation:
What is the impact of Vulnerable Libraries?
Vulnerable Libraries can contain any kind of vulnerability, ranging from moderate to critical risk. In some cases, these vulnerabilities are easily exploitable, even through automation, such as Log4Shell (CVE-2021-44228). This can result in immediate compromise of the application.
A list of the Top 15 Routinely Exploited Vulnerabilities in 2021 can be seen here.
How to prevent Vulnerable Libraries?
To prevent the use of vulnerable libraries, it is important to follow security best practices and implement appropriate security measures, such as:
- Use up-to-date and supported libraries: Use up-to-date and supported libraries that have been tested for security vulnerabilities and have been updated with security patches.
- Regularly scan and test libraries: Regularly scan and test libraries for known vulnerabilities, using automated tools and services to identify potential security issues and vulnerabilities.
- Conduct regular security audits: Conduct regular security audits and code reviews to identify and address potential security issues and vulnerabilities.
- Monitor alerts and notifications: Monitor alerts and notifications from security vendors and industry groups about potential security risks and vulnerabilities in libraries and other software components.
Ideally, the patch management process ensures that updates are installed on an ongoing basis, to avoid having to install major version updates. Automated test suites can help verify that the application is still working the way it is intended after an upgrade.
References
Taxonomies
- OWASP Top 10 - A06 Vulnerable and Outdated Components
- CWE-1104: Use of Unmaintained Third Party Components
Training
Option A: Update the library with npm audit
Ensure you have npm version 6.1.0 or higher
npm -v
6.1.0Change the directory into the root of your repository
cd `name of repository`
Run npm audit fix
npm audit fix
Test to verify that the upgrade doesn't break the app
Ship it 🚢 and relax 🌴
Option B: Manually update the library
- Look at the vulnerable package in the GuardRails PR comment
- Change the package.json to reflect the updated version
- Test to verify that the upgrade doesn't break the app
- Ship it 🚢 and relax 🌴
Option C: When no update is available
- Look at the vulnerable package in the GuardRails PR comment
- If no update is available then you have 3 choices:
- Remove the package if it's not needed
- Replace the package with another one that doesn't contain vulnerabilities
- Take a closer look at the vulnerability details and create a PR patching it
- Test to verify that your actions don't break the app
- Ship it 🚢 and relax 🌴
Option D: Updating vulnerable JavaScript libraries
- Review the vulnerable JS client libraries, such as jquery.
- Replace the vulnerable version, with the up-to-date and secure version
- Test to verify that your actions don't break the app
- Ship it 🚢 and relax 🌴