Dependency Update Tool

openssf_scorecard/dependency_update_tool

Severity

high

Description

Does the project use tools to help update its dependencies?

This check tries to determine if the project uses a dependency update tool. These tools automate the process of updating dependencies by scanning for outdated or insecure requirements, and opening a pull request to update them if found.

Reference: OpenSSF Scorecard - Dependency Update Tool.

Rationale

Out-of-date dependencies make a project vulnerable to known flaws and prone to attacks.

There are both open-source and commercial tools available for Software Composition Analysis (SCA) for the process of identifying potential areas of risk from the use of third-party software components.

Dependency Update tools automate part of the dependency-update process by integrating with the SCM, detecting out-of-date or vulnerable dependencies, and creating a pull request with the change in project dependencies descriptors, that could be accepted for merge.

Updates on dependencies should not be done blindly, as they can break the build, introduce bugs or new vulnerabilities, or can be leveraged by attacks on the software supply-chain, when the target component for the update is malicious. Dependency Update tools simplify part of the work, but a thorough review is necessary.

Verification

The check looks for well-known tools in use, specifically dependabot or renovatebot.

Remediation

Signup for automatic dependency updates with a tool like dependabot or renovatebot, and place the config file in the locations that are recommended by these tools.

For GitHub, see instructions for dependabot or renovatebot.

Small Print

There are many ways to implement dependency updates, and it is challenging for an automated tool to detect them all. A FAIL status is therefore not a definitive indication that the project is at risk.