Dealing with outdated third-party components
Overview
Keeping track of external/third-party packages or components used in a software application and obtaining visibility on their versions, vulnerabilities, and adherence with the rest of the software is crucial for several reasons:
- Understanding the external packages and their versions helps ensure compatibility and proper functioning of the software. Different versions may introduce new features, bug fixes, or even breaking changes.
- Monitoring for known vulnerabilities in external packages is essential for maintaining the security of the software. Many vulnerabilities are discovered and patched over time, and using outdated or vulnerable versions can expose the application to potential security risks.
- Overall, having visibility helps to maintain software integrity and security. It enables developers to make informed decisions regarding updates and patches thereby reducing potential risks in the software.
This article explains how to quickly identify the use of external/third-party components in your application using CAST Imaging, therefore making their upgrade or removal a much easier and safer task.
How does this feature work?
The information about outdated third-party components is provided by CAST Highlight’s SCA database: containing 118+ million Open-Source components gathered from various forges that we crawl such as Github, GitLab, Maven Central, NPM, NuGet, RubyGem, Packagist, etc. Depending on the component name and version detected in an application scan, CAST Highlight finds possible vulnerabilities (CVEs) by cross-referencing the National Vulnerablity Database (NVD) from NIST, across 150+ thousand known vulnerabilities.
You will therefore need a CAST Highlight subscription in order to leverage this feature. In addition, your application must be fully analyzed in CAST Imaging ensuring that:
- the relevant fields in CAST Highlight Settings are populated
- the extension com.castsoftware.highlight2mri is installed
How do I find out which of my application’s components are outdated?
Your application needs to have the Ready to view status in the Landing page:
Then click Ready to view, expand the Learn about application section and select the Third-party components tile:
If you do not see this tile, it’s likely that your application does not meet the requirements (see above). Contact your CAST representative to discuss how to obtain a CAST Highlight subscription.
Clicking the Third-party components tile will display the following screen, where all outdated third-party components are listed:
| Item | Description |
|---|---|
| Component Name | Lists the name of the obsolete third-party component found in your application. |
| Impacted object count |
Available in ≥ 3.6.0-funcrel
Displays the total number of impacted objects (i.e. objects using the component) in the application. This column is used for the default sort order of the list of components in the table. |
| CVE | Displays statistics about any CVEs (Common Vulnerabilities and Exposures etc.) that are present in the obsolete third-party component. The total count of CVEs is displayed together with the specific number per criticality:
|
| Versions | Displays the version number of the obsolete third party component found in your application. |
| Release Date | Displays the release date of the version of the obsolete third party component found in your application. |
| Gap | Displays the age of the obsolete third party component - i.e. the difference between today’s date and the release date of the version found in your application. The larger the gap the higher the prioritization should be for modernization. Ages are listed in three categories:
|
You can also access outdated third-party components via the Insights menu option in the right-panel:
Filtering on technical roles
Use Technical Roles filter to filter the list of third-party components:
How do I exclude unused items from the results?
By default, the list of third-party components will contain all components that have been found in the application - whether they are actually used or not. If you need to focus your efforts on components that are actually used, then you can toggle the Exclude unused components option:
Where are these outdated components used in my application?
Once you have a list of the outdated third-party components, the next step is find out where these components are being used in your application so that you can make an update plan. The right panel shows a high-level view of the items interacting with the third-party component in your application. Clicking the Investigate button opens up the relevant objects and nodes in full screen mode. A hypothetical example is explained below.
Example
Take the following example where the Jackson Databind component (a general data-binding functionality for Jackson ) is flagged as out of date, with 56 CVEs, 22 of which are critical. This is a great candidate to upgrade. Look at the right panel high-level overview to see adherence:
We can see two types of elements, Java classes and MVC classes that have some connections to the third-party component.
Next click the Investigate button to drill-down to the details - this will help you understand the impact of updating the component, or if you want to remove it entirely. CAST Imaging will show you the internal elements (classes) and whether they concentrated or scattered throughout your application. The red square in the image below highlights the external class from the Jackson component and all other items correspond to internal classes that part of the application and which call the Jackson class:
You can also save this information as a view in order to plan the update, use the export feature or compare the objects with a previous analysis state:
It is also possible to view the exact piece of source code that defines where your custom object is calling the the class - click the link between the objects to do so:
Finally, you can add a Post-It to the view to inform your co-workers what needs doing:
