Modern software applications are intricate mosaics built from numerous third-party components—libraries, frameworks, and modules that deliver essential functionalities and streamline development. These components, whether open-source or paid, are indispensable for solving common problems and enhancing programming languages. But they carry certain risks.
These components may contain known security vulnerabilities that are more or less severe, or require compliance with regulations related to the type of license. Also, over time, these components age and new, more updated versions come out that often fix many problems reported on earlier versions.
When a new vulnerability is reported on a used component, or it needs to be replaced because it is now obsolete, it sometimes becomes difficult to understand where this component was referenced and used, especially in the case of large applications that have been maintained for a long time and by different vendors or personnel who have been replaced, it is unclear where and how to intervene.
By analyzing the application with CAST Imaging and activating a subscription on CAST Highlight for OSS, you have an extremely powerful method to intervene and solve the problem quickly.
CAST Imaging can be used for many different case histories, and has a guide that directs you step-by-step toward creating the required report/view. In this case, simply make the following choices:
Each choice made is guided by multiple-response context menus. Once all selections have been made, the following view is displayed:
CAST Imaging provides a list of third-party components detected in your source code, either through references or actual files. For each component, it displays:
- Name
- Version used
- Release date
- Time since the release
- Known CVE security vulnerabilities (classified as Extreme/High/Medium/Low)
- Latest version that resolves these vulnerabilities
- Number of releases per year
- Files where the component dependency was found
The right side of the view shows a graph detailing the situation of the selected component. In the specific case we see that the component “express” is referenced for version 4.17.1 which contains 1 CVE High and 2 CVE Medium. The version should be replaced with 4.17.3 which is considered safe. In the graph we see that the component is referenced 5 times by 7 objects that belong to the NodeJS layer.
Pressing on the “Investigate” button opens a further detail view:
From this view, we can see all references to the “express” component in the source code, along with the file paths containing these references and the specific code that needs modification.
The view can be saved and shared with developers, notes and tags can be placed on the objects affected by the intervention:
The CAST Imaging web portal allows you to view all the information and views that are useful for performing third-party component replacement surgery. Of course, having the CAST Highlight subscription, it is always possible to access the CAST Highlight portal for further information related to OSS at the application portfolio level as well:
For in-depth documentation on the operation of the new “Highlight 2 MRI” extension, click here.
SHARE