Modern software applications are stitched together from thousands of third-party components fetched from public repositories. This reuse of code has major benefits for the software industry, reducing development time and costs and allowing developers to add functionality faster, but it also generates major vulnerability management problems due to the complex system of dependencies that are often hard to track.
Vulnerabilities inherited from third-party code have plagued applications for years, but in the age of government-sponsored software supply chain attacks, the problem is more relevant than ever. Software composition analysis tools can help uncover some of these risks, but subtle dependency blindspots still exist that make it hard for even security-conscious developers to catch all inherited flaws.
A recent scan of the NuGet repository by security researchers from ReversingLabs uncovered 50,000 packages that were using an outdated and vulnerable version of a popular library called zlib. Many of them did not explicitly list it as a dependency.
Dependency tracking is hit and miss