Non-Vulnerable Dependency Resolution
Dependencies may come with vulnerabilities that can be exploited by attackers.
Dependency resolution is the process of identifying and installing the required software packages to ensure that the software being developed runs smoothly. However, these dependencies may come with vulnerabilities that can be exploited by attackers.
Until now, these contexts have been considered as separate domains:
-
Package management tools resolve the version expression of the dependent package of a package to resolved versions in order to install the selected versions.
-
Security tools check if resolved package versions are affected by known vulnerabilities (even when integrated in a package management tool)
As a result, the typical approach to get a non-vulnerable dependency tree is: