Does the project use tools to help update its dependencies?
ID |
esf_s3c_dev/dependency_update_tool |
Severity |
high |
Category |
|
Levels |
|
Optional |
false |
Tags |
SSDF-PW.4.4, code-reviews, security, source-code, supply-chain |
Description
Does the project use tools to help update its dependencies?
This check tries to determine if the project uses a dependency update tool. These tools automate the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found.
Rationale
Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks.
There are both open-source and commercial tools available for Software Composition Analysis (SCA) for the process of identifying potential areas of risk from the use of third-party software components.
Dependency Update tools automate part of the dependency-update process by integrating with the SCM, detecting out-of-date or vulnerable dependencies, and creating a pull request with the change in project dependencies descriptors, that could be accepted for merge.
| Updates on dependencies should not be done blindly, as they can break the build, introduce bugs or new vulnerabilities, or can be leveraged by attacks on the software supply-chain, when the target component for the update is malicious. Dependency Update tools simplify part of the work, but a thorough review is necessary. |
Verification
The check looks for well-known tools in use, specifically dependabot, renovatebot, Depfu, Dependencies.io and Dependaroo.
Remediation
-
Signup for automatic dependency updates with a tool like
dependabotorrenovatebot, and place the config file in the locations that are recommended by these tools.
For GitHub, see instructions for dependabot or renovatebot.