stackoom
  简体   繁体   中英

Why do we have to fix security vulnerabilities on the test scope dependencies?

 原文  2022-01-05 01:55:06       security/ libraries

Question

Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?

I've been trying to find the answer online but no luck so thought of asking here.

For example: https://nvd.nist.gov/vuln/detail/CVE-2021-23463 I found this vulnerability but H2 was included as <scope>test</scope> in maven.

Thanks in advance!

2 answers

solution1
 1 ACCPTED  2022-01-05 02:12:40

Tests will likely be run by CI on your internal infrastructure. Or just on your developer machines. They will be run somewhere that is more or less internal to your infrastructure.

A vulnerability can be exploited in many ways, the one you mentioned is an XXE. A malicious xml file can be used to do stuff on the host that processes it. This might allow an internal unprivileged attacker (eg. a developer) to compromise CI that might have access to more valuable credentials. Or it might allow an external attacker to compromise a developer PC (by somehow providing malicious xml input), and then compromise CI from there, and so on.

You can see the point, you don't just want to protect your production environment. Sure, that might be the most important, but the way to protect it is to apply defense in depth, and mitigate risks for the whole infrastructure.

solution2
 0  2022-01-05 02:43:23

Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?

I can think of a couple of reasons why you might have to fix the vulnerabilities:

  1. Because you management, or the security team tells you that you have to. They may tell you this for reason of compliance to some internal policy, or some external compliance rules... or even for legal reasons.

  2. Because you are unable to conclusively show that the vulnerabilities in the test scope do not constitute a risk.

And the converse is:

  • IF management doesn't say that you have to fix them AND you can conclusively show that the vulnerability is NOT a risk in your test infrastructure THEN you could decide to not fix them.
  • HOWEVER if your assessment is in incorrect THEN the blame and consequences will fall on you.

In short... you need to decide if you want to take the risk of ignoring the vulnerability.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question how do i ignore/fix Raven scans vulnerabilities for npm library dependencies How do we “test” our security policy? Can security vulnerabilities for testing dependencies threaten my app in production? Json dependencies NPM update- How fix vulnerabilities manually How to check Django security vulnerabilities and how to fix them PHP code injection. Do we have a security risk? Security vulnerabilities of the .NET platform? Security holes or vulnerabilities in ReactJS? Security vulnerabilities in php fwrite? Tinymce 4.0.28 security vulnerabilities
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM