Intermediate Web — OWASP Top 10

Vulnerable Components and Software Supply Chain

Using components with known vulnerabilities (libraries, frameworks, npm/composer/pip packages) exposes the application to public exploits. The software supply chain is a growing attack vector — attackers compromise an upstream package and malicious code reaches thousands of projects.

Why It Is Critical

Notable vulnerabilities by component:
- Log4Shell (CVE-2021-44228): remote code execution via log4j (Java)
  Impacted: Apple, Microsoft, Steam, Amazon, Cloudflare, and thousands more
- Heartbleed (CVE-2014-0160): memory leak in OpenSSL
- Struts RCE (CVE-2017-5638): Equifax breach (147M records)
- Spring4Shell (CVE-2022-22965): RCE in Spring Framework

Identifying Vulnerable Dependencies

# npm / Node.js
npm audit
npm audit fix

# pip / Python
pip install pip-audit
pip-audit

# Composer / PHP
composer audit

# Maven / Java
mvn dependency-check:check

# Ruby Gems
bundle audit

Software Composition Analysis (SCA) in CI/CD

# GitHub Actions — Automatic Dependabot (dependabot.yml)
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
# Pipeline with OWASP Dependency-Check
- name: Dependency Check
  run: |
    ./dependency-check.sh \
      --project "myapp" \
      --scan . \
      --failOnCVSS 7 \
      --format HTML

Supply Chain — Attacking Upstream Packages

Supply chain attack types:
1. Typosquatting: publish "coloers" instead of "colors" — user installs the wrong one
2. Dependency confusion: internal package name published on public registry with a higher version
3. Maintainer account takeover: compromised account, malicious code inserted
4. Build pipeline poisoning: upstream project's CI/CD is compromised
# Verify package checksum before installing (npm)
npm pack <package> && shasum -a 256 <package>.tgz

# Verify signatures (pip with PEP 458 — being adopted)
pip install --require-hashes -r requirements.txt

Lock Files and Reproducibility

# ALWAYS commit lock files — they pin exact versions
package-lock.json   # npm
yarn.lock           # yarn
composer.lock       # composer
Pipfile.lock        # pipenv
poetry.lock         # poetry
go.sum              # go modules

Without a lock file, npm install may install a different (and vulnerable) version on each build.

SBOM — Software Bill of Materials

Generate an inventory of all dependencies for traceability and incident response.

# Generate SBOM with syft
syft packages . -o cyclonedx-json > sbom.json

# Scan SBOM for vulnerabilities with grype
grype sbom:sbom.json

Dependency Security Checklist

  • Automate updates: Dependabot, Renovate Bot.
  • Block CVSS >= 7 in the CI/CD pipeline.
  • Use a private registry for internal dependencies.
  • Verify package integrity with hashes.
  • Monitor CVEs continuously — NVD, GitHub Advisory Database.
  • Prefer active dependencies with a history of responding to vulnerabilities.
  • Remove unused dependencies regularly.