Profile Applicability:
Level 1
Description:
All software dependencies must be explicitly pinned to specific, verified versions rather than using loose or floating version specifiers. Pinning dependencies ensures reproducible builds and reduces risks from unexpected or malicious changes in upstream packages.
Rationale:
Pinning dependencies prevents automatic updates that may introduce breaking changes, vulnerabilities, or instability. It supports secure and consistent builds by controlling the exact versions used, facilitating vulnerability management and auditing.
Impact:
Pros:
Ensures build reproducibility and consistency.
Reduces risk of unexpected vulnerabilities or bugs.
Facilitates dependency auditing and vulnerability tracking.
Simplifies troubleshooting by fixing dependency versions.
Cons:
May delay access to security patches or feature updates.
Requires manual updates and maintenance of version specifications.
Default value:
Many projects allow flexible version ranges by default, increasing risk of unpredictable behavior.
Audit:
Review dependency manifests (e.g., package.json, requirements.txt) to verify versions are explicitly pinned. Check for use of exact version numbers or commit hashes.
Remediation:
Implement policies mandating explicit version pinning. Use dependency management tools and CI checks to enforce pinning. Train developers on best practices for managing dependency versions.
References:
npm Versioning and SemVer: https://docs.npmjs.com/about-semantic-versioning
Python Packaging User Guide - Specifying Dependencies: https://packaging.python.org/en/latest/discussions/install-requires-vs-requirements/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/