Skip to content

πŸ”— Vulnerability Scanning for Application Dependencies

Code from Depencies

Our app has thirdparty code (it is not ours). The question is: How do we know if a well known library has any vulnerabilities?

We don't! We also need to scan for vulnerability. We cannot do SAST here (Static Composition Software Analysis), we must run SCA (Software Composition Analysis).

  • SAST - Scan your code for vulerabilities
  • SCA - Scan for vulnerabilities in your dependencies

How can we know if a library has vulnerabilities?

Often, these libraries which can be of any language (JavaScript, Java, Python, PHP, Ruby libraries) have this information on Public CVE Databases (Common Vulnerabilities and Exposures), which may include:

  • What is the issues?
  • Which version is affected?
  • In which version it gets fixed and/or a workaround.

Add a SCA scan in Pipeline

In previous chapted πŸ‘¨β€πŸ”§ Vulnerability Management and Remediation we created a pipeline and script to upload results to the DefectDojo.

SCA vulnerabilities scans are mostly fixed on new verions of the library, however, it may be a dependency of the thirdparty library we require, so it will require some tests in order to ensure that this new upgrade will not break anything.

This has to be done hand-in-hand with developers and/or QA team (alternatively launch a End-to-End testing for the app).