Finite State acquired MergeBase in June 2024. This video was filmed prior to the acquisition. MergeBase capabilities have now been absorbed into the Finite State product to form a powerhouse in application security.
Dependency management is a critical aspect of software development that ensures applications have access to up-to-date and secure libraries and frameworks. One popular tool in the industry for managing dependencies is Dependabot, which automatically updates your npm packages and other dependencies in your GitHub repository.
However, despite its promising features and integrations, Dependabot has a significant implementation flaw that limits its effectiveness. Watch this webinar about how Dependabot applies to you and find out how to fix this :).
Because if you’re using industry-standard software leader Dependabot, then your devs didn’t fix the recent Log4J problem properly.
If you’re using it, then the tools you’re using now aren’t getting the job done.
In practice, it has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.
In theory, Dependabot is exactly what the world needs to keep software dependency chains safe from known vulnerabilities: tightly integrated with Github; auto-generates pull requests, plugged into Github Security Advisories (GHSA); it also supports a wide range of programming languages and dependency managers.
But in practice, it has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.
Do you know any languages that currently DO NOT support lock files? Java / Maven!
It can only find all the vulnerabilities, including the dependencies of the dependencies, if there’s a log file. So if you have a package lock.json or a gem lock or a yarn.lock if you have those in your git and you’ve committed them to get and push them up to your git server to GitHub, then Dependabot can is able to use those lock files to examine the complete dependency tree, and then it can find the vulnerable dependencies deep in that dependency tree.
A lock-files are pretty much out-of-the-box standard usage with javascript, PHP, Go and Ruby.
When there’s no log file, but Dependabot is not really going to tell you about that; it’s not going to say: “alert! I’m in severely degraded mode.” Instead, Dependabot is going to look in this case what we’re saying is that this particular software system has six direct dependencies, and then those six direct dependencies bring in 50 or 60 additional sub-dependencies (indirect dependencies).
So dependabot, it’s only going to look at those six libraries, and “uh; oh,” there’s the bad ones; the depentabot’s gonna miss those because those are in the transitive or in the indirect right.
It’s funny lock-files themselves have nothing to do with application security, and they have nothing to do with the open source problem lock files solve a different problem; they solve build repeatability. We use these lock files so that everyone on your team is able to build the same software system with all the same libraries, so you auto-generate this lock file.
The nice thing about the package-lock is it’s going to also take the full tree and write the full dependency tree to disk in this file so that everyone on the team has the exact same dependency tree in their software system.
Both are hard, except #1, if a lock-file is present!
The reason that MergeBase is able to find the transitive rate is that we’re not relying on lock files exclusively; certainly, we’ll look at the lock file and consider it, but we’re also, you know, we’re going to ask maven to tell us maven like what do you think the full dependency tree is.
While Dependabot initially seems like a promising tool for dependency management, its limitations regarding lock-file support hinder its ability to identify and address transitive vulnerabilities accurately.
Developers should be aware of these constraints and consider alternative solutions like MergeBase for more robust dependency analysis. Understanding the importance of Software Composition Analysis and exploring suitable scanning options can significantly enhance the security and stability of software projects.
Ready to experience a comprehensive dependency analysis? Try Finite State today and ensure the safety of your software.