Recently I was going through the results of a Software Composition Analysis (SCA) scan of an application. While trying to figure out whether the reported vulnerabilities were relevant findings or false positives, it reminded me of bread rolls. Sounds odd? Well, let me explain.
Dependencies are like seeds in bread
I bake bread rolls pretty often. They are easy to make, the ingredients are so simple that I almost always have them in my kitchen cupboard, and it feels cozy to have warm bread just out of the oven for an afternoon snack. However, baking plain rolls can get a bit boring, so I often try to add a twist: adding some seeds, nuts, malt, or grated carrots brings a new kind of flavor.
Libraries in an application are like seeds in a bread roll. They are an inseparable part of the product. If the seeds are stale, the rolls might taste funny. The same goes with the libraries: if the libraries contain vulnerabilities, the application can be vulnerable, too.
Not all vulnerabilities in dependencies are problematic
There’s a twist with vulnerable components. For example, some of the components that your source code includes are only used for testing and development. These dev or test dependencies will not be a part of the actual product, so you don’t have to mind about the vulnerabilities in these.
Some of the libraries are direct dependencies of the application, so the application is using the functionality provided by these. In most cases, you should just update the library to get that vulnerability fixed. If updating is not possible (due to incompatibility issues or updating would require a service break that you cannot afford to have right now) you can try to examine if the vulnerable method is actually used by your application or try to have alternative means of protection, such as a web application firewall blocking exploit attempts.
Other libraries are transitive, meaning that they are not directly used by your application, but some of the libraries you directly include are using their functionality. The chain of dependencies can get quite long. Transitive libraries can induce vulnerabilities into your application, too. However, it can be difficult to check whether the vulnerable code in a transitive library is actually used by your app and end up in the product. At least it requires extensive knowledge about the application functionality. Another problem is that typically you cannot just go and update the transitive libraries on your own – you need to update the direct libraries to a version that will use the fixed new version of the transitive library.
Let’s compare dependencies and baking
If we go back to the bread rolls and baking analogy, these are the dependency types:
- Direct dependencies
- Flour
- Seeds
- Yeast
- Water
- Transitive dependencies
- Air (formed by yeast when it splits sugars, causing the dough to rise)
- The viscous and elastic mass formed by gluten proteins when you mix the dough enough
- Testing dependencies
- A cocktail stick to check if the pastry is done
- Development dependencies
- Baking bowl to mix the ingredients
- Mixer or a large spoon
- Compilation dependencies
- Oven
- Electricity
- Baking paper
- Baking tray
- Runtime dependencies
- Knife
- Butter to spread on the ready rolls
Let’s bake some bread rolls!
If you need some time to chew over the dependency problem, you can bake some bread rolls in the meantime. You’ll need
- 2 dl of oatmeal (rolled oats)
- 1 bag of dry yeast (around 11 g)
- 5 dl of water
- 2 tbsp of syrup (you can also use honey)
- 0,5-1 tsp salt
- 9 dl of bread flour (mine included wheat flour, wheat groats, dark wheat flour, and rye flour)
- 1 dl seed mix (mine had sunflower seeds, pumpkin seeds, pine seeds, and cranberries)
- 0,5 dl cooking oil (I used canola oil but you can also use e.g. rapeseed oil)I
Measure the oatmeal and dry yeast in a baking bowl. Heat the water into 42 ºC and pour it over into the bowl. Mix. Add syrup and salt. Add the flour in small batches and mix well with a mixer with dough hooks (you can also use a spoon and later knead it with your hands). Add the seed mix, oil, and the rest of the flour and mix until the dough does not stick into the dough hooks anymore. Depending on the type of flour, you may need to add some extra flour.
Let the dough rise in a warm place until the size has approximately doubled. I tend to put the baking bowl inside a loosely closed clean plastic bag and put the whole thing inside the microwave oven (don’t put the microwave on, though). Raising the dough takes around 50-60 minutes.
Tip the dough onto a floured surface and roll into a baguette-type shape. Cut the dough in halves and roll into two even baguettes. Divide the rolls into 18-24 pieces and roll them into tiny balls. Place the balls onto a baking tray with paper and leave some room for rising. Cover the bread rolls with a cloth and let them rise for 20-30 minutes. You can pt
Heat the oven to 210 ºC (if you have a convection oven) and bake for 10 minutes. If you have a regular oven, use 225 ºC and bake for 12-15 minutes. If you are unsure, check that the bread rolls are done by inserting a cocktail stick or a toothpick into the bread roll. If there’s some dough on the toothpick, put the rolls back to the oven.
Let the bread rolls cool for a while. Enjoy with some butter and hot tea!
While munching on those bread rolls, you can read more about the subject from the following links:
Bake Security In 