CramHacks
Posts
[CramHacks] Newsletter #14: Transitive vulnerabilities are bogus

[CramHacks] Newsletter #14: Transitive vulnerabilities are bogus

CramHacks Chronicles: Key Insights On Software Supply Chain Risks

Kyle Kelly
December 13, 2023

🥳 Happy Monday! 🥳

Updates seem to be slowing down for the holidays🎄

I plan to use this slow period to produce long-form content - stay tuned!

Software Supply Chain Security

Kyle’s Spicy Takes

Part 1: Transitive vulnerabilities are bogus

Part 2: Fact-Checking “>90% of vulnerabilities impact transitive dependencies”

👋 This is something I’m thinking about daily, and nearly every day, I come up with a new reason why transitive vulns can be de-prioritized.

We need to dig deeper into active vs inactive code, as Contrast Security's 2021 State of Open Source Security suggests. This is code that is executed (active) vs code that is not (inactive). I’d equate this to developer hygiene, which in 2023 is still a cesspool.

CVE / NVD doesn’t work for open-source and supply chain security

CrashOverride’s Co-Founder Mark Curphey breaks down the history of CVE & NVD, what has changed since they originated in 1999, and some significant pitfalls that break automated vulnerability discovery workflows.

👋 I’m working on a similar article right now. This article has some great points, but I think it’s missing some key failures regarding CVE/NVD, especially as it relates to the software supply chain. One of those being transitive vulnerabilities.

Clint Collabs: Chris Hughes and Securing your Software Supply Chain

YouTube link for last week’s discussion between Chris Hughes & Clint Gibler about software supply chain security.

Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials

The Enduring Security Framework (ESF) Software Supply Chain Working Panel has published a 43-page paper about managing open-source software and SBOMs.

“When open-source software (OSS) is being included in a product, and the OSS is accompanied by an SBOM from the distributor of the OSS, that OSS SBOM should be validated before being bound to the incorporating product and the product’s SBOM.”

🌶️ In this context, “validate” apparently means ensuring the formatting is correct. How is that at all useful? But more importantly, who has time for that?

Pg. 9 starts the open-source adoption recommended practices. I’d suggest reading it. At first, it’s frustrating simply because of how infeasible it is for 99% of organizations, but maybe my perspective will change.

OpenSSF Japan: Malicious Package Repository

👋 This was announced ~2 months ago and mentioned in CramHacks here, but OpenSSF Japan just happened last week, and these slides added a lot of color to its purpose. Shoutout to Google’s Caleb Brown!

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don't hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle