# Vulnerable and Outdated Components

The usage of components which are vulnerable or outdated is a huge problem because it makes actually secure web applications vulnerable again through the exploitation of its used components.

A06:2021

# Background

# Context

Nowadays a web application consists not only of self-written code but contains multiple hundreds or even thousands of different dependencies of unknown and externally written code. This code can, just like the self-written one, contain security vulnerabilities which are directly included into project that uses this code.

The most commonly used database for vulnerabilities of software is the Common Vulnerabilities and Exposures (CVE) list. As mentioned on their website their goal is to: "identify, define, and catalog publicly disclosed cybersecurity vulnerabilities". The database contains over 150.000 records that are provided with a unique identifier (for example CVE-2021-1234) containing the characters ’CVE’, the year in which the vulnerability was issued, and a sequence number containing four or more digits. In addition, these records also contain a description of the issue and references. Each record deals with a specific instance of a product or system and the issues leading to a vulnerability.

# Problems

  • Libraries are often included without security considerations
  • These libraries can contain security vulnerabilities themselves

# Solution

  • Stay informed about security risks in general
  • Always know which version of what library or package is used in your applications
  • Upgrade them in case a more recent version is available
  • Remove unused dependencies
  • Usage of pure packages recommended

# Technology

In general, libraries or tools that scan for vulnerabilities consist of a dependency checker which reads all dependencies of a project and compares them against a list of vulnerabilities. Consequently, their performance stands and falls with the quality of the underlying vulnerability database.

TIP

Staying informed yourself is indispensable.

# Node.js

When using Node.js the Node Package Manager (npm) is normally used. With the command npm audit one can scan a project's dependencies for known vulnerabilities. The underlying vulnerability database is however not described properly. As stated here (opens new window), is the database only maintained by volunteers. Therefore this should not be used as single line of defense.

# General Libraries

Further libraries exist that can be used to evaluated the components further:

  • Snyk
  • Retire.js
  • OWASP Dependency-Check (Java only)
Last Updated: 7/3/2022, 3:51:46 PM