Blog

Webinar Wednesdays – When Dependabot Is Worse Than Nothing: Log4J As A Sub-Dependency

Watch if this applies to you and find out how to fix this :).

from the “Webinar Wednesday  from March 30th, 2022, with Jim and Julius

Why should you care? Because if you’re using industry-standard software leader Dependabot, then your devs didn’t fix the recent Log4J problem properly.
If you’re using Dependabot, then the tools you’re using now aren’t getting the job done.
In practice, Dependabot has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.

In theory Dependabot is exactly what the world needs to keep software dependency chains safe from known vulnerabilities: tightly integrated with Github; auto-generates pull-requests; plugged into Github Security Advisories (GHSA); support for a wide range of programming languages and dependency managers.

But in practice Dependabot has a serious implementation flaw: it can only see transitive dependencies (aka sub-dependencies) in languages and dependency managers that support lock files.

Do you know any languages that currently DO NOT support lock files?

Java / Maven !

This has some bad implications if you’re using Dependabot to protect yourself from Log4J (since Log4J is a Java library).

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility and popularity.

More on Continuous Protection

Add RunTime Protection

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Run-time Protection

Shift Left Now

CodeGreen is an early-warning defence for your in-house development and integrates directly into GitHub and BitBucket

More on BitBucket and Github apps