Feature Focus: Safe OSS Component Version Recommender

10 August 2022

All roads lead to Rome. However, when having to get an Open Source Software (OSS) component back to a safer state vis-à-vis security vulnerabilities, there are many possible paths, some longer or shorter, while some shortcuts exist. CAST Highlight automatically recommends quick and ideal component upgrade scenarios to remove vulnerabilities. See in this article how the Safe OSS Component Version Recommender feature works.

CAST Highlight’s Safe OSS Component Version Recommender

Identifying the right version to upgrade a vulnerable component to can be time consuming, especially when you amassed vulnerabilities across dozens of components over time by not upgrading OSS components to safer versions. The target component version should improve the security (i.e., less vulnerabilities) while not breaking the application due to significant change requirements if the new version is dramatically different than the current version in use. You could manually look at the component timeline with vulnerability data by version so that you can determine the target version. But still, this is a manual and tedious exercise. CAST Highlight now automatically calculates and reports the two versions you should consider for your OSS component upgrades: the safer and closest version, and the safest version. Let’s see how the feature works in detail.

Safer & Closest version: the quick path

As its name indicates, this component version has less vulnerabilities (grouped and ordered by severity) and is the version released closest to the current version found in the scanned application.

This is typical information you would consider to make the component safer. It also represents a lower risk of functional issues related to the upgrade as the gap with the current component version in use is usually smaller.

Safest version: the ideal path

This is the ultimate upgrade goal for a component having vulnerabilities. This version is the one with the lowest number of vulnerabilities across the component timeline. It might be risky to directly upgrade a component to this version as the gap with your current version can be quite significant, possibly multiple major releases newer. Note that the safest version is not necessarily the latest published version, as it is the closest version from the one detected in the scan.

Where to retrieve this information in CAST Highlight

Both Safer & Closest and Safest component versions are available at the application level. From the dashboards, they’re listed in the component table under the Software Composition tab. This information is also available in the Excel BOM export and from the API (WS2/domains/{domainId}/applications/{applicationId}/thirdparty).

Note that alpha, beta and pre versions are automatically excluded from both Safer and Safest component versions, as it is not recommended to upgrade a component to one with this status, even if it has (theoretically) less vulnerabilities.