dependency-vulnerability

Dependency Vulnerability Management (OWASP A09)

Identify and remediate known vulnerabilities in third-party dependencies.

When to Use

• Running security audits on projects
• Updating dependencies
• Reviewing Dependabot/Snyk alerts
• Setting up CI/CD security checks
• Evaluating new packages
• Responding to CVE announcements

Vulnerability Sources

Source	Coverage	Updates
NPM Advisory Database	JavaScript	Real-time
GitHub Advisory Database	Multi-language	Real-time
NVD (NIST)	All	Daily
Snyk Vulnerability DB	Multi-language	Real-time
OSV (Open Source Vulnerabilities)	Multi-language	Real-time

Audit Commands by Ecosystem

Node.js / npm

# Run security audit
npm audit

# Get JSON output for CI
npm audit --json

# Auto-fix where possible
npm audit fix

# Force fixes (may include breaking changes)
npm audit fix --force

# Check specific severity
npm audit --audit-level=high

Node.js / Yarn

# Yarn v1
yarn audit

# Yarn v2+
yarn npm audit

# With specific severity
yarn audit --level high

Python / pip

# Using pip-audit (recommended)
pip install pip-audit
pip-audit

# Using safety
pip install safety
safety check

# Check requirements file
safety check -r requirements.txt
pip-audit -r requirements.txt

Ruby / Bundler

# Using bundler-audit
gem install bundler-audit
bundle-audit check --update

# Using bundler
bundle audit

Java / Maven

# OWASP Dependency-Check plugin
mvn org.owasp:dependency-check-maven:check

# Or add to pom.xml

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>8.4.0</version>
  <executions>
    <execution>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>

Go

# Using govulncheck (official)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

# Using nancy
go list -json -deps ./... | nancy sleuth

PHP / Composer

# Local Checker
composer audit

# Using Symfony CLI
symfony check:security

# Using Roave Security Advisories
composer require --dev roave/security-advisories:dev-latest

.NET

# Using dotnet CLI
dotnet list package --vulnerable

# Include transitive dependencies
dotnet list package --vulnerable --include-transitive

CI/CD Integration

GitHub Actions

name: Security Audit

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '0 0 * * *'  # Daily

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install dependencies
        run: npm ci

      - name: Run security audit
        run: npm audit --audit-level=high

      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

GitLab CI

security_audit:
  stage: test
  script:
    - npm ci
    - npm audit --audit-level=high
  allow_failure: false
  only:
    - merge_requests
    - main

Dependabot Configuration

# .github/dependabot.yml
version: 2
updates:
  # JavaScript dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    groups:
      production-dependencies:
        dependency-type: "production"
      development-dependencies:
        dependency-type: "development"
        update-types:
          - "minor"
          - "patch"

  # Python dependencies
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "weekly"

  # Docker base images
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

Snyk Integration

# Install Snyk CLI
npm install -g snyk

# Authenticate
snyk auth

# Test project
snyk test

# Monitor project (for continuous monitoring)
snyk monitor

# Test with severity threshold
snyk test --severity-threshold=high

# Generate SBOM
snyk sbom --format=cyclonedx1.4+json

Lock File Best Practices

package-lock.json / yarn.lock

# Always commit lock files
git add package-lock.json

# Use ci instead of install in CI
npm ci  # Respects lock file exactly

# Verify integrity
npm ci --ignore-scripts  # Safer for initial audit

Requirements.txt with hashes

# Generate with hashes
pip-compile --generate-hashes requirements.in

# Or use pip-tools
pip install pip-tools
pip-compile --generate-hashes

# requirements.txt with hashes
certifi==2024.2.2 \
    --hash=sha256:dc383c07b76109f368f6106eee2b593b04a011ea4d55f652c6ca24a754d1cdd1

Vulnerability Response Workflow

// 1. Assess the vulnerability
const assessVulnerability = {
  severity: 'HIGH',  // From CVE
  exploitability: 'PROOF_OF_CONCEPT',
  affectedVersions: '<1.2.3',
  currentVersion: '1.2.0',

  // Is it exploitable in your context?
  inProductionPath: true,
  exposedToUntrustedInput: true,

  // Priority calculation
  priority: 'P1'  // Fix immediately
};

// 2. Determine fix approach
const fixApproaches = [
  'Upgrade to patched version',
  'Apply security patch',
  'Use alternative package',
  'Implement workaround',
  'Accept risk (document)'
];

// 3. Test the fix
// 4. Deploy to production
// 5. Document the remediation

Package Evaluation Checklist

Before adding a new dependency:

# Check download stats and maintenance
npm view <package>

# Check for known vulnerabilities
npm audit <package>
snyk test <package>

# Review on npm/GitHub
# - Last publish date
# - Number of maintainers
# - Open issues/PRs
# - Security policy
# - License

// Evaluation criteria
const packageEvaluation = {
  // Maintenance
  lastPublish: '< 6 months ago',
  maintainers: '>= 2',
  openIssues: 'reasonable response time',

  // Popularity (indicates community review)
  weeklyDownloads: '> 10,000',
  dependents: '> 100',

  // Security
  knownVulnerabilities: 0,
  securityPolicy: true,

  // Quality
  tests: true,
  typeDefinitions: true,
  documentation: true
};

Software Bill of Materials (SBOM)

# Generate SBOM with CycloneDX
npm install -g @cyclonedx/cyclonedx-npm
cyclonedx-npm --output-file sbom.json

# Generate with Syft
syft . -o cyclonedx-json > sbom.json

# Scan SBOM for vulnerabilities
grype sbom:./sbom.json

Code Review Checklist

• npm/yarn audit passes with no high/critical issues
• Dependabot or similar enabled
• Lock files committed and up to date
• No packages with known vulnerabilities
• Security audit runs in CI/CD
• New dependencies evaluated before adding
• Unused dependencies removed
• SBOM generated for releases

Best Practices

1. Automate Scanning: Run audits in CI/CD pipeline
2. Update Regularly: Schedule dependency updates
3. Monitor Continuously: Use Snyk/Dependabot alerts
4. Minimize Dependencies: Fewer deps = smaller attack surface
5. Review New Packages: Evaluate before adding
6. Use Lock Files: Pin exact versions
7. Generate SBOMs: Track what you ship
8. Have a Response Plan: Know how to respond to CVEs