How do I resolve transitive dependencies?
Question
The Software Composition Analysis Report has flagged potential transitive dependency security issues, i.e. security issues in one or more dependencies of the dependencies that are relied upon by my custom-developed application. Examples of this include:
- CVE reported for a Java sub-package of a third-party JAR
- CVE reported for a subcomponent of an encapsulating third-party component or redistributable more generally
- CVE reported for a dependency of a COTS product, or of a COTS plug-in framework, or of an API
I cannot independently upgrade these sub-components or otherwise repackage my third-party dependencies. How do I resolve these findings in the Software Composition Analysis Report?
Answer
OIS Software Assurance does not require that developers upgrade sub-components, e.g. dependencies of dependencies. However, the version of the top-level dependency must not have any known vulnerabilities.
To assist in this determination, the developer must provide as part of the audit for the dependency:
- Identify the top-level dependency that uses this sub-component. Include the dependency name and version
- Where possible, provide a link to a website or documentation that shows that the sub-component is a dependency of the top-level dependency
- Verify that there are no open known vulnerabilities against the top-level component. See NVD - Search (nist.gov)
Note that the custom-developed application may still contain the vulnerability as described in the CVE if it invokes the top-level dependency functionality that in turns calls the vulnerable dependency.
Also, if the application doesn’t already use the latest version of the top-level dependency, it is required to upgrade to the latest version.