P.5.2 Dependency update

Control Details

Objective

Update vulnerable dependency when a fixed version is available

Definition

SCA tools, SBOM tools, and ecosystem tools (such as Dependabot) inform a product of vulnerabilities and provide an automated pull request for new versions of direct and transitive dependencies discovered vulnerable. Organizations need a process/strategy for updating dependencies - which may be manual or automated. Specify the software assets that require automated updates, defined from criticality/risk-based analysis. Rebuild, do not patch, containers with vulnerabilities.

Assessment Questions

1. What is your strategy for updating dependencies based on SCA, SBOM, or automated pull requests?
2. What is your strategy for updating dependencies, such as through a tool such as Dependabot that automates PR?
3. How does the project use tools to help update its dependencies e.g. Dependabot, RenovateBot?
4. Describe the risk/criticality prioritiziation scheme used when updating assets. How are the software assets that require automated updates defined from a criticality/risk-based perspective?
5. How are containers updated when a vulnerability is detected?

Reference sources

1. 800-161 SI-2
2. OWASP-SCVS 5.8
3. SSDF RV.1.1
4. OSSF-Scorecard dependency-update-tool
5. S2C2F UPD-1, UPD-2, UPD-3
6. OSPS OSPS-QA-02