When one open-source package riddled with vulns pulls in dozens of others, what's a dev to do?

2020-06-26 09:25

The second top vulnerability last year was malicious packages, where a trusted package is contaminated with one crafted for an attack.

"A dev using one open-source package typically unwittingly pulls in dozens of others. Most known vulnerabilities are in those packages, and with a typical app using hundreds of libraries, the odds of a severe vulnerability in some of them are high."

A dev using one open-source package typically unwittingly pulls in dozens of others.

Most known vulnerabilities are in those packages, and with a typical app using hundreds of libraries, the odds of a severe vulnerability in some of them are high.

Having established what vulnerabilities exist, "There are a number of ways to mitigate the risks. Does an upgrade path exist? Or we need to code defensively so that if a vulnerability exists, which doesn't have a fix, we do enough input validation or whatever is needed to avoid that code path from being attacked. And when we choose an open-source package, how many maintainers are there? If a vulnerability is found, how quick are they to provide patches?".

News URL

https://go.theregister.com/feed/www.theregister.com/2020/06/26/open_source_security_snyk_survey/

#opensource