Wot, no package manager?
Unfortunately for Google marketing, c/c++ developers prefer to manage their own dependencies, so maybe not worth the effort doing this ;)
Google this week released OSV-Scanner – an open source vulnerability scanner linked to the OSV.dev database that debuted last year. Written in the Go programming language, OSV-Scanner is designed to scan open source applications to assess the security of any incorporated dependencies – software libraries that get added to …
"this basic single-page "Hello world" app required a total of 1,764 dependencies"
The canonical K&R "hello world" app was intended as an example of a minimal program. It had no external dependencies whatsoever, unless you include the standard C library.
"There are simply too many dependencies and versions to keep track of manually, so automation is required."
Wrong! That is an *insane* number of dependencies and requires massive application of the code-axe. Here:
<html>Hello, world.</html>
You're welcome.
-A.
Agreed.
The modern "programming" practice of extracting various code blobs from a massive library and pasting them together is a security nightmare. There's no chance that in 1,764 dependencies there won't be a vulnerability somewhere. So you can pretty well guarantee that every single such app can be abused.
Anyone who uses this "programming" paradigm in financial or industrial sectors, or other critical sectors like hydro, water, sewer utilities etc, is taking a massive risk.
Obligatory XKCD: https://xkcd.com/2347/
A hassle in the Java world is that some third party library will eventually reference an Apache library for API compatibility. Now 20 years of Internet garbage is going into the build. How many millions of critical vulnerabilities that imported isn't relevant. I want to know the best points to insert a manual dependency exclusion. Doing it manually is trial and error by checking for runtime failures.
IBM SMP/E at least since 1985 kept track of every module and all dependencies used to build their mainframe OS. Change one module, and you could discover which products contained it. Any/patches/zaps/fixes you knew for sure, which products needed automatic fixing across the board. Looks like people are reinventing the wheel. So said, it was a difficult beast to master.