by niros_valtos on 9/6/22, 6:37 AM with 2 comments
2. How do you know if it is safe to upgrade a package and it won't break changes? For example, if version 1.2.3 has "myFunc(p1,p2)" and it is called by your code, but the vulnerability was fixed in version 1.2.4, which has "myFunc(p1,p2,p3)".
3. What do you do if the vulnerable package is a sub-package of another package used by your code?
by tauwauwau on 9/6/22, 9:10 AM
1. Use some software like Contrast Security to do it for you. Tools like these can tell you if your code accesses some vulnerable class/method at runtime. However, you'll have to determine whether you want to fix it. For example it has recently started flagging iText 2.1.7 libraries, but we determined that it was not exploitable in our application. It has to be done on case by case basis.
2. Only your unit/integration tests and QA testing can tell you if it works. Our team creates stories to update libraries, developers work on upgrade, do a superficial test that every thing seems to work and hand it over to QA team. They then test the running application in test environment and give it a go ahead if everything works.
3. We try to exclude the sub package (Maven/Gradle) and see if it breaks the application, we also try to upgrade the sub package to a newer version. If you're lucky, there won't be breaking changes. But sometimes, there are breaking changes and you'll have to rewrite your code to bring newer version of parent package, which in turn brings newer version of sub package.
Bottom line is it's hard work, there's no magic bullet.
I'm not affiliated with Contrast in anyway, there should be other tools for the same purpose.
by cpach on 9/6/22, 4:00 PM