Non-upgradable dependencies
Description
Dependencies are not explicitly declared (name and version) within the source code. They are copied directly into the repositories.
Impact
- Loss of maintainability because dependencies are not maintained.
- Late update of units in case a vulnerability is reported for one of the reported vulnerabilities.
Recommendation
All dependencies must be declared and must referenced with a dependency manager (npm, pip, maven). This allows to standardize projects construction and packaging.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ 120 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: H
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code madurity: U
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:X/RC:X
- Score:
- Base: 3.1
- Temporal: 2.9
- Severity:
- Base: Low
- Temporal: Low
Code Examples
Compliant code
All code dependencies are correctly referenced with a defined version
{
"name": "test",
"version": "1.0.0",
"description": "nothing",
"main": "index.js",
"author": "Luis Saavedra",
"license": "MIT",
"private": false,
"dependencies": {
"@angular/core": "^13.3.3",
"cloudron-sysadmin": "1.0.0",
},
}
Non compliant code
There are some undeclared dependencies in the code
var moduleName = require("<name of dependency>");
const createUser = (user) => {
moduleName(user);
}
Requirements
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.