Need

Prevent exploitation of known vulnerabilities in dependencies

Context

• Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
• Usage of mix for dependency management

Description

Non compliant code

        defp deps do
  [{:phoenix, '~> 1.2.1'}]
end
        
        

The insecure code example demonstrates the use of an outdated and potentially vulnerable version of the Phoenix framework (1.2.1), as specified in the mix.exs file in an Elixir project. Known vulnerabilities exist in this version of the Phoenix framework that can be exploited by attackers.

Steps

• Identify the dependencies and their versions that are known to have vulnerabilities.
• Search for the latest versions or the safe versions of those dependencies.
• Update the dependency specifications in your mix.exs file.
• Run 'mix deps.update --all' to update the dependencies.

Compliant code

        defp deps do
  [{:phoenix, '~> 1.5.7'}]
end
        
        

In the secure code example, the Phoenix framework has been updated to a more recent and secure version (1.5.7). This version does not have the vulnerabilities present in the older version.

References

• 011. Use of software with known vulnerabilities