AD2002: DoNotIncorporateVulnerableDependencies¶
Summary¶
| Property | Value |
|---|---|
| ID | AD2002 |
| Name | DoNotIncorporateVulnerableDependencies |
| Category | Security |
| Severity | Error |
| Applies to | PE (Windows) |
Description¶
Binaries should not incorporate dependencies that contain known security vulnerabilities. This rule analyzes the binary to detect statically linked libraries with known CVEs.
How It Works¶
The rule examines:
- Import tables and embedded library signatures
- Version strings embedded in the binary
- Known vulnerability databases for matching libraries
Why This Matters¶
Incorporating vulnerable dependencies creates a direct path for attackers to exploit known weaknesses in your application.
Supply Chain Security¶
| Risk | Impact |
|---|---|
| Known CVEs | Attackers have ready-made exploits |
| Unmaintained libs | No patches available |
| Transitive deps | Hidden vulnerabilities |
Common Vulnerable Libraries¶
| Library Type | Examples |
|---|---|
| Crypto | OpenSSL, libcrypto (older versions) |
| Compression | zlib, bzip2 |
| Parsing | libxml2, expat |
| Image processing | libpng, libjpeg |
The Attack Surface¶
Your Application
└── Statically links libfoo 1.2.3
└── CVE-2024-XXXX (Remote Code Execution)
└── Attacker exploits known vulnerability
└── Your application compromised
Best Practices¶
| Practice | Benefit |
|---|---|
| Regular updates | Patches known vulns |
| SBOM tracking | Know what you ship |
| Vulnerability scanning | CI/CD detection |
| Dynamic linking | Easier patching |
Performance and Resolution¶
Performance Considerations¶
Resolving vulnerable dependencies has no runtime performance impact on your application. The effort is entirely in the build and update process:
| Activity | Impact |
|---|---|
| Library update | Build-time only |
| Dependency scanning | CI/CD pipeline (seconds) |
| Runtime overhead | None |
Dynamic linking can actually improve memory usage when multiple processes share the same library.
Resolution Steps¶
1. Identify the Vulnerable Dependency¶
Use the detailed output from the analysis to identify which library version is affected:
# View CVE details
curl https://nvd.nist.gov/vuln/detail/CVE-XXXX-YYYY
# Check library version in binary
strings binary | grep -i "version\|openssl\|zlib"
2. Update to a Patched Version¶
For vcpkg (Windows/Cross-platform):
# Update vcpkg ports
git -C vcpkg pull
vcpkg upgrade --no-dry-run
# Specify minimum version
vcpkg install openssl:x64-windows --overlay-triplets=custom-triplets
For Conan:
# Update to latest patched version
conan install . --update
# Pin to specific safe version in conanfile.txt
[requires]
openssl/3.0.12
For system packages:
# Debian/Ubuntu
sudo apt update && sudo apt upgrade libssl-dev
# RHEL/Fedora
sudo dnf update openssl-devel
3. Rebuild the Application¶
# Clean build to ensure old objects are removed
cmake --build . --clean-first
# Or with Make
make clean && make
4. Verify the Fix¶
# Confirm new version is linked
ldd binary | grep ssl
strings binary | grep -i "openssl"
# Re-scan for vulnerabilities
grype binary
CI/CD Integration¶
Automate vulnerability detection in your pipeline:
# GitHub Actions example
- name: Generate SBOM
run: syft ./build/output/ -o spdx-json > sbom.json
- name: Scan for vulnerabilities
run: |
grype sbom:sbom.json --fail-on critical
- name: Upload SBOM artifact
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
Consider Dynamic Linking¶
For libraries that receive frequent security updates (OpenSSL, zlib, etc.), consider dynamic linking:
| Approach | Pros | Cons |
|---|---|---|
| Static linking | Self-contained binary | Must rebuild for each CVE |
| Dynamic linking | OS updates fix CVEs | Deployment complexity |
# Prefer dynamic linking for security-sensitive libs
find_package(OpenSSL REQUIRED)
target_link_libraries(myapp PRIVATE OpenSSL::SSL)
# Uses system OpenSSL, patched by OS updates
Tools for Dependency Management¶
| Tool | Purpose | Command |
|---|---|---|
| syft | Generate SBOM | syft binary -o spdx-json |
| grype | Vulnerability scan | grype binary |
| trivy | Container/binary scan | trivy fs ./ |
| osv-scanner | OSV database check | osv-scanner --sbom=sbom.json |