Improper Dependency Pinning - Elixir

Improper Dependency Pinning - Elixir

Need

Prevent installation of unsupported or vulnerable dependencies.

Context

  • Usage of Elixir (v1.11+) for building scalable and concurrent applications
  • Usage of Mix for managing assets in Laravel

Description

Non compliant code

        defp deps do
  [
    {:plug, ">= 1.0.0"},
    {:cowboy, "~> 2.1"}
  ]
end
        
        

This code can be vulnerable as it specifies a minimum version for 'plug', which means any version higher than 1.0.0 could be installed, including potentially incompatible or vulnerable versions. The cowboy dependency uses a version range which could potentially install a version with known vulnerabilities.

Steps

  • Specify the exact versions of the dependencies.
  • Regularly update the dependencies and thoroughly test the application after updates.

Compliant code

        defp deps do
  [
    {:plug, "1.12.1"},
    {:cowboy, "2.8.0"}
  ]
end
        
        

This code is safer as it specifies the exact versions of the dependencies to be used. This ensures that known, compatible versions are installed, reducing the risk of installing incompatible or vulnerable dependencies.

References