At present, there are increasing, more and more complex third-party libraries and frameworks of application dependency, such as SSL, Spring, Rails, .Net and a variety of third-party certification systems, which we collectively call them as third-party dependencies. Usually, a version of third-party dependencies determined for application development will seldom be updated afterward for a long period normally due to the high cost for version update, i.e. changes in application methods and processes of API of a new library and new framework may lead to large-scale reconstruction of the system. However, versions are updated frequently because new functions are added to those dependencies or that current problems (including security problems) are fixed. Once a security problem is found in those dependency libraries and frameworks, it will probably be posted online, such as NVD, WooYun and other vulnerability platforms, while official patches are always unpublished at this time of dangerous period, making systems applying those dependencies subjected to many attacks by exploiting those vulnerabilities.
It is necessary to manage those third-party dependencies used by application. However, the challenge lies in the huge amount of the dependencies. What’s more, there are many kinds of dependency-related security vulnerabilities published online everyday, which are hard to be managed manually, and thus automatic management is required. Automatic dependency scanning means scanning over all dependencies (including indirect dependencies) and their versions used by the current application and matching them to security vulnerability database published online. If a vulnerability of certain dangerous level (to be self defined) exists in one of the dependencies, a security warning (to prevent CI building success, etc.) will be sent to the developer or system administrator, and thus to start corresponding measures to solve the problem, so as to prevent attacks, avoid or reduce losses.