079 – Non-upgradable dependencies

Description

Dependencies are not explicitly declared (name and version) within the source code. They are copied directly into the repositories.

Impact

- Loss of maintainability because dependencies are not maintained. - Late update of units in case a vulnerability is reported for one of the reported vulnerabilities.

Recommendation

All dependencies must be declared and must referenced with a dependency manager (npm, pip, maven). This allows to standardize projects construction and packaging.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

120 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: U

Requirements

• 302 - Declare dependencies explicitly

Fixes

• Dart
• Elixir
• Go
• Java
• Javascript
• Python
• Scala
• Typescript

Last updated

2024/02/12