A new report reveals that patches deployed to fix dependency vulnerabilities cause crashes in 75% of cases. Minor updates were found to cause client crashes 94% of the time, and in the case of version upgrades, this percentage was 95%.
Software dependencies (the external code or libraries that a project needs to function properly) are notoriously difficult to manage during application development. Remediating vulnerabilities in dependencies requires a major version upgrade 24% of the time.
“The seemingly easiest solution is to upgrade to a non-vulnerable version of the dependency,” said the authors of the new 2024 Dependency Management Report from software supply chain security firm Endor Labs.
“However, what initially seems easy (after all, you just need to update the version identifier to a non-vulnerable one, right?) can lead to compatibility issues and regressions that break an application during development.”
Endor Labs researchers analyzed vulnerability data from internal and external sources to measure trends in software dependency management for the report.
SEE: Software supply chain security attacks increase by 200%, according to new Sonatype study
Dependency vulnerabilities are not reported or fixed quickly enough
The report also found that there are several issues inherent in reporting and patching dependency vulnerabilities, with 69% of advisories being published on CVE, blogs, GitHub, and similar platforms after a patch has been released. The average delay between public availability of a patch and publication of an advisory is 25 days.
These factors significantly expand the window of opportunity for attackers to exploit vulnerable systems through software dependencies.
AI libraries make vulnerability management difficult
Despite making programming easier, increasingly popular AI libraries are exacerbating existing problems with dependent vulnerability management. More specifically, the report found that vulnerability reporting in AI libraries is inconsistent, with numbers varying by as much as 10% across public advisory databases.
According to the report's authors, phantom dependencies (libraries hidden and undeclared in an application's code) are also more common in AI and ML software projects. AI projects tend to be written in Python, a language known for its phantom dependencies because it allows for dynamic or indirect package installations that bypass manifest files.
Phantom dependencies only made up a significant portion of the dependency footprint of 27% of the companies whose data was analyzed for this report. However, within that group, more than 56% reported that library vulnerabilities were found in their phantom dependencies.
Security professionals are overwhelmed by irrelevant vulnerability alerts
According to the report, a quarter of the reports contain incorrect or incomplete data, which can lead to false positives and false negatives.
Nearly half of the vulnerabilities found in public databases from six common open source ecosystems also contain no code-level vulnerability information, such as names of affected functions or fix commits. In fact, only 2% contain information about affected functions.
Identifying the connections between applications and vulnerabilities within their dependencies is a technical challenge. However, this information is essential for security professionals to know whether vulnerabilities pose a risk to their applications.
Without it, they can’t quickly filter out irrelevant vulnerabilities, which are many. The Endor Labs team found that over 90.5% of open source dependency vulnerabilities in Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala are not actually exploitable at the function level — that is, they don’t have at least one call path from the application to the vulnerable function in that library.
SEE: Open source code for commercial software applications is ubiquitous, but so is the risk
Darren Meyer, a research engineer at Endor Labs, said organizations are “drowning in vulnerability alerts, many of which do not represent a significant risk.”
“Investigating alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive,” he added.
The benefits of upgrading Python's top 20 components
Updating dependencies to non-vulnerable versions has a noticeable impact on the number of relevant vulnerabilities. For example, updating the top 20 Python components removes over 75% of all vulnerability findings, including 60% for Java and 44% for npm.
Additionally, filtering out dependency vulnerabilities that are unreachable (i.e., cannot be accessed or exploited) and have an EPSS score of less than 1% can significantly reduce the number of vulnerabilities security professionals need to monitor. When these vulnerabilities are combined with filters for vulnerabilities that have no available fix and are not present in test code, only 4% of Java and JavaScript vulnerabilities and less than 1% of Python vulnerabilities remain, dramatically reducing remediation costs.
The report’s authors wrote: “When combined with feature-level accessibility analysis data and other context-based outreach strategies, EPSS prioritization is typically so effective that additional, more effort-intensive prioritization strategies (such as performing environmental and temporal CVSS scoring exercises to determine severity in your environment) are often not needed.”
“This saves vulnerability scanning costs for your organization.”
