• CramHacks
  • Posts
  • Stop Detecting, Start Fixing: Dependency Upgrades as the Real Solution

Stop Detecting, Start Fixing: Dependency Upgrades as the Real Solution

Dependency upgrades are the simplest, most effective way to mitigate risks—so why aren’t they the priority?

Author

Kyle Kelly
November 19, 2024

People don't want to buy a drill and a quarter-inch bit. They want a quarter-inch hole!

Open-source software is everywhere. If you want to build software applications, you will want to use them —unless you are getting paid hourly, in which case maybe you want to spend a lifetime re-building modules already available.

Software Composition Analysis (SCA) is a category of tooling that enables organizations to analyze their applications’ open-source components for reasons such as license compliance and security vulnerabilities. The SCA market has been a rollercoaster; there’s a clear need and purpose, but they’ve historically introduced unreasonable developer friction. In recent years, regulatory and compliance requirements have picked up, causing organizations to invest in the latest SCA tooling typically the ones with the best prioritization features —to reduce developer friction.

But given an SCA tool finding, what are the remediation options? It’s pretty simple:

  • Don’t use the component

  • Upgrade the component

  • Vendor the component and modify as needed

Many vendors are racing to offer features revolving around vulnerability detection. However, the competition for automating dependency management, e.g., keeping components up-to-date, is much less fierce —despite this being the most common strategy for remediating known risks.

95% of the time, when vulnerable components are consumed, a fixed version already exists.

Sonatype has also found it takes open-source maintainers about 300 days to update a dependency to remediate a vulnerability and issue a new release. A significant increase compared to ten years ago, when data showed an average of only a few weeks.

Out of interest and for future use, I wanted to note some general details about the available tools. Perhaps you’ll find it helpful as well!

Tool Notes

Open Source & Paid versions are available. Renovate focuses on automating dependency updates with a data-driven approach, providing developers with actionable insights to reduce the risk of breaking changes.

  • Key Metrics:

    • Age: Time since the update’s release.

    • Adoption: % of Renovate users using this release—high adoption indicates low risk.

    • Passing Tests: % of updates with successful test results from CI pipelines.

    • Confidence Levels:

      • Low: Likely breaking changes (e.g., major version updates).

      • Neutral: Insufficient data to assess risk.

      • High: Low risk based on Age, Adoption, and Passing metrics.

      • Very High: Widely adopted, mature updates with extensive testing.

  • Platform Support: GitHub, GitLab, Bitbucket, Azure, Gitea, and more.

  • Language Support: Supports nearly all languages and private packages.

  • Hosting: Can be self-hosted for organizations with strict compliance needs.

  • Standout Feature: Superior update insights (e.g., confidence levels) to guide safe upgrades.

Open Source & Paid versions are available. Dependabot offers built-in dependency management within GitHub, focusing on automatic PRs and compatibility verification.

  • Compatibility Score:

    • Reflects the % of successful CI runs for dependency updates between specific versions.

    • Requires at least five candidate updates; otherwise, the badge reads “unknown.”

    • Most updates (83%) lack enough data for a compatibility score badge, limiting its utility for lesser-used libraries.

  • Platform Support: GitHub only.

  • Language Support: Broad, with private package support.

  • Hosting: Compatible with self-hosted GitHub runners for greater flexibility.

  • Standout Feature: Seamless integration with GitHub workflows, simplifying setup for existing CI/CD pipelines.

Paid only. Endor Labs provides a unique focus on risk quantification and remediation assistance, emphasizing developer confidence during updates.

  • Remediation Risk Levels:

    • High: Likely breaking changes with high confidence.

    • Medium: Moderate risk, such as major version conflicts.

    • Low: Minimal evidence of breaking changes (but not guaranteed).

  • Endor Patches: A curated repository of backported fixes for vulnerabilities in popular packages, allowing organizations to patch without upgrading.

  • Platform Support: GitHub, GitLab, Bitbucket, Azure DevOps.

  • Language Support: I’m unsure; maybe it’s just Java? I’m also unsure whether it supports private packages.

  • Standout Feature: Leverages call graph analysis to determine breaking changes in version upgrades.

Snyk focuses on integrating security scanning and remediation into the development lifecycle, aiming to reduce developer overhead.

  • Package Ecosystems: npm, Yarn, Maven Central.

  • Platform Support: GitHub, Bitbucket, GitLab, Azure Repos, and enterprise platforms.

  • Upgrade Strategy: Defaults to patches and minor upgrades for safety.

  • Private Dependency Support: Currently in beta for automatic PRs.

  • Hosting: Works with Snyk Broker, a secure relay for connecting internal repositories (high cost for enterprises).

  • Standout Feature: N/A

Seal Security leverages AI to assist with vulnerability remediation, aiming to provide intelligent fixes for diverse ecosystems.

  • AI-Powered Fixes: Automates backporting of security patches to maintain compatibility.

  • Package Sealing: Ensures packages remain secure with “sealed” versions that include fixes.

  • Language Support: Covers multiple languages, including Java, Python, and JavaScript.

  • Standout Feature: AI-driven fixes for rapid, secure remediation, potentially reducing reliance on manual intervention.

HeroDevs provides long-term support for deprecated and end-of-life frameworks, addressing critical gaps in legacy systems.

  • Never-Ending Support (NES): Security and compliance updates for end-of-life frameworks like AngularJS, ESLint, and Spring Framework.

  • Standout Feature: Tailored support for enterprises reliant on legacy frameworks, filling a niche often neglected by other vendors.

Moderne automates codebase transformations, making it easier for teams to migrate frameworks or adopt best practices.

  • Rewrite Recipes: Automates framework migrations, library updates, and version upgrades.

  • Language Support: Java, Kotlin, and other JVM languages.

  • Platform Integration: GitHub and GitLab.

  • Open Source: Built on the OpenRewrite framework, encouraging community contributions.

  • Standout Feature: Automating complex refactoring tasks that would otherwise require significant developer effort.

One solution type missing that the container ecosystem has seemingly embraced is producing minimal packages. Services like Chainguard and tools such as SlimToolkit (OSS) aim to reduce the attack surface entirely by removing bloatware. Meanwhile, researchers have repeatedly proven that a significant percentage (62% reported by Contrast Security) of software dependencies never get executed at runtime.

With malicious dependencies on the rise, this oversight feels increasingly critical; after all, being compromised by something your application didn’t even need is an avoidable tragedy.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.