Home > front end >  Why do we have to fix security vulnerabilities on the test scope dependencies?
Why do we have to fix security vulnerabilities on the test scope dependencies?

Time:01-05

Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?

I've been trying to find the answer online but no luck so thought of asking here.

For example: https://nvd.nist.gov/vuln/detail/CVE-2021-23463 I found this vulnerability but H2 was included as <scope>test</scope> in maven.

Thanks in advance!

CodePudding user response:

Tests will likely be run by CI on your internal infrastructure. Or just on your developer machines. They will be run somewhere that is more or less internal to your infrastructure.

A vulnerability can be exploited in many ways, the one you mentioned is an XXE. A malicious xml file can be used to do stuff on the host that processes it. This might allow an internal unprivileged attacker (eg. a developer) to compromise CI that might have access to more valuable credentials. Or it might allow an external attacker to compromise a developer PC (by somehow providing malicious xml input), and then compromise CI from there, and so on.

You can see the point, you don't just want to protect your production environment. Sure, that might be the most important, but the way to protect it is to apply defense in depth, and mitigate risks for the whole infrastructure.

CodePudding user response:

Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?

I can think of a couple of reasons why you might have to fix the vulnerabilities:

  1. Because you management, or the security team tells you that you have to. They may tell you this for reason of compliance to some internal policy, or some external compliance rules ... or even for legal reasons.

  2. Because you are unable to conclusively show that the vulnerabilities in the test scope do not constitute a risk.

    For example, could the vulnerability be exploited by a bad actor who has access to your CI infrastructure? Can you demonstrate that that is not possible?

And the converse is:

  • IF management doesn't say that you have to fix them AND you can conclusively show that the vulnerability is NOT a risk in your test infrastructure THEN you could decide to not fix them.
  • HOWEVER if your assessment is in incorrect THEN the blame and consequences will fall on you.

In short ... you need to decide if you want to take the risk of ignoring the vulnerability.

Page link:https//www.codepudding.com/frontend/251196.html

Prev:SQL Server: accessing CSV files as linked server with Windows authentication
Next:Secure protocol for decrypting sensitive data in server
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding