- Remote attestation (SEDIMENT)
- 3rd party API checks
- Direct dependencies are straightforward.
- Upgrade direct dependencies to the latest supported version with each release.
- Prioritize upgrading direct dependencies with effective vulnerabilities.
- An effective vulnerability is one that can be executed by the application containing it.
- Not all vulnerabilities in a package are in code that is used by the application.
- Prioritize upgrading direct dependencies on deprecated versions.
- Prioritize upgrading direct dependencies containing vulnerable dependencies.
- Dependencies with zero-day critical vulnerabilities may require upgrades and emergency releases. A good example is Log4J.
- Transitive dependencies are more difficult.
- May be resolved by upgrading to a newer version of the direct dependency containing it.
- Some transitive dependencies can be upgraded independent, but this requires more testing.
- How to automate the mitigation?
- Some container scanning tools can automatically upgrade open source dependencies used in container base images.