The stability cost of patching a bug can prevent many developers from remedying a known flaw in their own software, according to researchers with Endor Labs, who said that the remedies and measures many patches bring can have downstream effects.
“If they did not follow this best practice, the application developer can create a direct dependency using the non-vulnerable version identifier,” the researchers stated.
“Such that the package manager’s resolution logic will give priority to the version specified directly.
The problem, according to the security firm, is that there is a major disconnect between those who develop software packages — both open and closed source — and those that use them.
As a result, updates to a package will often include changes to code and components in a way that they won’t easily work with previous versions of the software. When an application is built on those ever-changing frameworks it can be difficult to maintain stability.
This, in turn, creates an environment where developers may opt to leave their own applications working with an earlier version that is now vulnerable to attack.
“Seemingly the most straight-forward solution is to upgrade to a non-vulnerable version of the dependency,” noted Endor Labs.
“However, what sounds easy in principle — after all, you just need to update the version identifier to a non-vulnerable one, right? — can cause compatibility problems and regressions that break an application during development or runtime.”
To remedy the issue, Endor Labs suggested that developers try to update their SCA systems to a tool that can better analyze dependencies and look into where code might be calling on a tool that has recently been updated or patched for a flaw that could also be present downstream.
This would, in turn, help stop vendors from falling victim to things like upstream attacks or hacks on vulnerabilities that have yet to be made public.
“One of the most essential roles of an SCA tool is to correlate a list of vulnerabilities with your application code to see if you’re potentially exposed,” the security firm noted.
“This requires the tool to generate an accurate software inventory (including both direct and transitive dependencies) and have access to a robust vulnerability database.”
