Pour obtenir une clé
d'essai remplissez le formulaire ci-dessous
Demandez des tariffs
Nouvelle licence
Renouvellement de licence
--Sélectionnez la devise--
USD
EUR
RUB
* En cliquant sur ce bouton, vous acceptez notre politique de confidentialité

Free PVS-Studio license for Microsoft MVP specialists
To get the licence for your open-source project, please fill out this form
** En cliquant sur ce bouton, vous acceptez notre politique de confidentialité.

I am interested to try it on the platforms:
** En cliquant sur ce bouton, vous acceptez notre politique de confidentialité.

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
>
The risks of using vulnerable dependenc…

The risks of using vulnerable dependencies in your project, and how SCA helps manage them

06 Sep 2022

Most applications today use third-party libraries. If such a library contains a vulnerability, an app that uses this library may also be vulnerable. But how can you identify such problematic dependencies?

0987_PVS-Studio_SCA/image1.png

Dangers of vulnerable components

Let's say we have a simple web app that uses RestSharp, a fairly well-known REST API client library for .NET.

Our app receives some data in JSON format. Let's simplify it a bit and imagine that the handler receives the date string and parses it using the RestSharp extension method:

[HttpPost]
public IActionResult Index(string jsonDate)
{
  DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);

  // do something

  return View();
}

It seems the worst thing that may happen — the string in jsonDate would have incorrect date format. However, here's what would happen:

  • the dateTime object will receive the default value;
  • then the value will be processed in a specific way;
  • the sender will receive a reply.

So, is this code secure?

It depends on the RestSharp library version. If the version is earlier than 106.11.7, the library is vulnerable to ReDoS attacks (CVE-2021-27293). So, what? What does it all add up?

The point is that our request handler uses the ParseJsonDate function that uses a vulnerable regular expression. Hence, our application is vulnerable to ReDoS attacks as well.

To make sure that our application is vulnerable, I sent my app 10-15 requests from a browser at once. I passed the following string as the JSON date to my application:

new Date(000000000000000000000000000000000000000000000000000000000000000000

At the same time, I was using Process Hacker to monitor how the web service was consuming my system resources:

0987_PVS-Studio_SCA/image2.png

I wish I could send a dozen more requests, but my browser has frozen :(.

Let's get back to the code:

[HttpPost]
public IActionResult Index(string jsonDate)
{
  DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);

  // do something

  return View();
}

It looks pretty innocuous, doesn't it? But if a real web application has similar code, it may be attacked and lead to a server overload (provided that a vulnerable version of RestSharp is used).

All right, everything is clear with RestSharp. We just need to update it to the newest version. And the app is secure, right?

Not really... Only one dependency is secure. What about others?

The ways to check a project for vulnerable components

SCA (Software Composition Analysis) is a tool that identifies open-source software vulnerabilities. Originally, SCA was used to manage the license compliance risks, but over the time the product has been scaled up. And now one of its main features is the detection of vulnerable components.

If the project depends on something insecure, the SCA solution reports a message as follows:

Referenced package RestSharp 106.11.5 contains vulnerability according to CVE-2021-27293: Incorrect Regular Expression in RestSharp.

Today we have various tools for dependency analysis. Some tools also integrate SAST (static application security testing). This allows you to look for potential vulnerabilities that can lead to attacks like XXE, SQL injection, XSS, etc. If you integrate both SAST and SCA, you'll be able to diagnose the problems both in source code and in dependencies.

If you are a C# programmer, you can try PVS-Studio: it integrates SAST and SCA tools. Download the trial here. To look for security flaws, enable OWASP diagnostics (the V5625 diagnostic searches for vulnerable dependencies).

Also, there are solutions for other programming languages. Here are the most popular tools:

  • Mend (formerly WhiteSource) is a powerful solution from WhiteSource. It enables to check the code (Mend SAST) and dependency (Mend SCA) security.
  • Black Duck is one of the main Synopsys products. It focuses specifically on dependency analysis. Although the company also has a tool for static security analysis — Coverity.
  • Veracode provides popular solutions to look for security flaws in dependencies and code: Veracode Static Analysis (SAST) and Veracode Software Composition Analysis (SCA).

Conclusion

Any application may be vulnerable even if its code is correct. Vulnerable dependencies are sometimes hardly to find. So, the risks are really high because such dependencies may impact the app operation a lot.

SCA tools are not perfect — they can't make your code 100% secure. However, they definitely help detect vulnerable components. Moreover, you don't have to do it manually :).

Popular related articles
Trojan Source: Invisible Vulnerabilities

Date: 15 Avr 2022

Author: Guest

We present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards…
Why does my app send network requests when I open an SVG file?

Date: 18 Fév 2022

Author: Sergey Vasiliev

You decided to make an app that works with SVG. Encouraged by the enthusiasm, you collected libraries and successfully made the application. But suddenly you find that the app is sending strange netw…
Vulnerabilities due to XML files processing: XXE in C# applications in theory and in practice

Date: 11 Fév 2022

Author: Sergey Vasiliev

How can simple XML files processing turn into a security weakness? How can a blog deployed on your machine cause a data leak? Today we'll find answers to these questions, learn what XXE is and how it…
OWASP Top Ten and Software Composition Analysis (SCA)

Date: 22 Oct 2021

Author: Nikita Lipilin

The OWASP Top Ten 2017 category A9 (which became A6 in OWASP Top Ten 2021) is dedicated to using components with known vulnerabilities. To cover this category in PVS-Studio, developers have to turn t…
How Visual Studio 2022 ate up 100 GB of memory and what XML bombs had to do with it

Date: 07 Sep 2021

Author: Sergey Vasiliev

In April 2021 Microsoft announced a new version of its IDE – Visual Studio 2022 – while also announcing that the IDE would be 64-bit. We've been waiting for this for so long – no more 4 GB memory lim…

Comments (0)

Next comments
Unicorn with delicious cookie
Nous utilisons des cookies pour améliorer votre expérience de navigation. En savoir plus
Accepter