Non-upgradable Dependencies - Elixir

Need

Use a dependency manager to ensure smooth updates and maintainability

Context

1. Usage of Elixir (v1.11+) for building scalable and fault-tolerant applications
2. Usage of Mix as the package manager

Description

Insecure Code Example

defmodule InsecureDependencies do
  # Here the user is using the copied code of the UUID package directly into the file
  def generate_uuid do
    #...Code copied from UUID package...
  end
end

The `generate_uuid` function uses code directly copied from a package (UUID package for instance). This makes it hard to update and maintain the code. Also, if a vulnerability is found in the original package, the code here will also be vulnerable and would need a manual update.

Steps

1. Define all dependencies in your mix.exs file.
2. Run `mix deps.get` in your command line to fetch the defined dependencies.

Secure Code Example

# mix.exs file

defp deps do
  [
    {:uuid, "~> 1.8"}
  ]
end

# Using the UUID package in your code

defmodule SecureDependencies do
  def generate_uuid do
    UUID.uuid4()
  end
end

Now, the UUID package is declared as a dependency in the mix.exs file and fetched using `mix deps.get`. This way, it's easier to update and maintain the code. Moreover, if a vulnerability is found in the original package, you just need to update the version in the mix.exs file and run `mix deps.get` again.

References

Last updated

2023/09/18