2

Everytime I see a pom.xml file or requirements.txt that says that a given project requires a specific legacy version of a library, it makes me cringe. Am I right when I assume that it's usually insecure to specify maximum (or exact) versions of a library in project's requirements?

I'm asking because I find the popularity of such approach quite confusing - while quite a lot of programming languages allow that, I can't see that adopted in - for example - most Linux package managers that basically "force" developers to port their software to new versions of libraries.

d33tah
  • 6,544
  • 8
  • 40
  • 61

2 Answers2

1

Am I right when I assume that it's usually insecure to specify maximum (or exact) versions of a library in project's requirements?

It depends.

If the requirement is due to a possible API change in later versions then this requirement makes sense. You will often find that Java applications require a specific version of Java since there are lots of small changes between the Java version which might (not necessarily will) break the application. Sometimes the requirement only says with which software stack it was tested and that no support will be given if used with another software stack.

It is bad and insecure if this requirement means that you cannot upgrade the software stack in case of vulnerabilities.

... most Linux package managers that basically "force" developers to port their software to new versions of libraries.

Not really. Most Linux distributions do not enforce the newest library in case of vulnerabilities with the older version, but instead try to port the bug fixes back to the older version. Only when a new distributions gets released they include newer versions of the software stack, but also often include additionally older versions to give existing software the (older) libraries they need.

At the end each developer has only limited time to test and thus testing is done only with a few variations of the software stack. And most developers don't have the time to adapt and test their software with each new version of a library or programming language etc.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • ...the last sentence suggests for me that this should be an automated process. – d33tah Oct 12 '15 at 15:47
  • @d33tah: I guess you never developed software which is used by lots of others. To automate everything you need to have every possible version of the software stack installed (lots of VM, lots of licences for the OS, lots of resources needed) and you have fully automated tests which cover every relevant part of your program. And it gets worse because mobile phones differ a lot and not everything can be tested inside a VM. – Steffen Ullrich Oct 12 '15 at 17:00
  • You're right, I might have overly simplified that. What I meant is testing for build errors and runtime exceptions for one OS. – d33tah Oct 12 '15 at 17:04
  • @d33tah: there might be variations on the software stack even on a single OS. You can have different Java versions installed, different browsers, versions of .NET, SSL stacks, versions of python etc. Even the patch status or registry settings matter a lot (like the supported SSL ciphers and versions etc). It is a really complex thing and a nightmare to support all this stuff. And of course you cannot reproduce customer problems because you don't know what's different with their setup and they don't know either. – Steffen Ullrich Oct 12 '15 at 18:30
0

For Maven, you can check your dependencies for security issues with the OWASP plugin:

https://jeremylong.github.io/DependencyCheck/dependency-check-maven/plugin-info.html

You can also tell maven to get the latest version:

https://stackoverflow.com/questions/30571/how-do-i-tell-maven-to-use-the-latest-version-of-a-dependency

Example:

<version>[1.0.0,2.0.0)</version> //will get version up to but not including 2.0.0
Neil McGuigan
  • 3,429
  • 1
  • 18
  • 22