Using Vulnerable Libraries

Why is this important?

Most of the code for modern applications is coming from third-party libraries. This is great because it speeds up development. However, there is no guarantee that third-party libraries are secure and of high quality.

According to Sonatype, in 2017, 12.1% (1 in 8) of Java downloads contained known vulnerabilities.

Check out this video for a high-level explanation:

Using Known Vulnerable Components

Updating Vulnerable libraries

Option A: Manually update the dependency (Maven)

  1. Look at the vulnerable component in the GuardRails PR comment.
  2. Identify the right artifactId in the pom.xml.
    • Note: GuardRails attempts to identify the right artifact automatically. In some cases, it is a sub-dependency of another component and can't be directly updated.
  3. Change the <version> of the related <artifactId> in the pom.xml to reflect the patched version.
  4. Test to verify that the upgrade doesn't break the app.
  5. Ship it 🚢 and relax 🌴

Option C: When no update is available

  1. Look at the vulnerable component in the GuardRails PR comment.
  2. If no update is available then you have 3 choices:
    • Remove the component if it's not needed
    • Replace the component with another one that doesn't contain vulnerabilities
    • Take a closer look at the vulnerability details and create a PR patching it
  3. Test to verify that your actions don't break the app.
  4. Ship it 🚢 and relax 🌴

More information: