[funsec] Repositories offer up vulnerable libraries says report

Jeffrey Walton noloader at gmail.com
Mon Apr 9 07:08:29 CDT 2012


A report by Aspect Security and Sonatype analysed 113 million
downloads of 31 popular open source Java frameworks and security
libraries and found that, of those downloads, 26% of them had a known
vulnerability. The report says that this highlights the fact that
organisations don't have good procedures or tools for ensuring that
the libraries they use when building applications are up to date. The
study looked at 31 libraries which had 1,261 different versions of
themselves held in the "Central Repository", a service for Apache
Maven users run by Sonatype.

The problem though is a clash of philosophies; the "Maven way" is,
said Jackson, not to break any build and removing known vulnerable
libraries from the repository would break builds, sometimes
unnecessarily as the vulnerable functionality in a library may not be
used or exposed by an application. But by ensuring a build never
breaks, the door is left open for vulnerable libraries to be used
again and again, long after the originating project had retired them.

More information about the funsec mailing list