Use of Software with Known Vulnerabilities
Need
Prevent exploitation of known vulnerabilities in dependencies
Context
- Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
- Usage of mix for dependency management
Description
Non compliant code
defp deps do
[{:phoenix, '~> 1.2.1'}]
end
The insecure code example demonstrates the use of an outdated and potentially vulnerable version of the Phoenix framework (1.2.1), as specified in the mix.exs file in an Elixir project. Known vulnerabilities exist in this version of the Phoenix framework that can be exploited by attackers.
Steps
- Identify the dependencies and their versions that are known to have vulnerabilities.
- Search for the latest versions or the safe versions of those dependencies.
- Update the dependency specifications in your mix.exs file.
- Run 'mix deps.update --all' to update the dependencies.
Compliant code
defp deps do
[{:phoenix, '~> 1.5.7'}]
end
In the secure code example, the Phoenix framework has been updated to a more recent and secure version (1.5.7). This version does not have the vulnerabilities present in the older version.