funsec mailing list archives
Repositories offer up vulnerable libraries says report
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 9 Apr 2012 08:08:29 -0400
http://h-online.com/-1498138 A report by Aspect Security and Sonatype analysed 113 million downloads of 31 popular open source Java frameworks and security libraries and found that, of those downloads, 26% of them had a known vulnerability. The report says that this highlights the fact that organisations don't have good procedures or tools for ensuring that the libraries they use when building applications are up to date. The study looked at 31 libraries which had 1,261 different versions of themselves held in the "Central Repository", a service for Apache Maven users run by Sonatype. ... The problem though is a clash of philosophies; the "Maven way" is, said Jackson, not to break any build and removing known vulnerable libraries from the repository would break builds, sometimes unnecessarily as the vulnerable functionality in a library may not be used or exposed by an application. But by ensuring a build never breaks, the door is left open for vulnerable libraries to be used again and again, long after the originating project had retired them. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Repositories offer up vulnerable libraries says report Jeffrey Walton (Apr 09)