Components with Known Vulnerabilities

Most developers don't even know what all is in their dependency tree.

Sadly, most successful attacks are not the exciting "zero day, rush to patch before they get it" kind of thing.

Most attacks are mundane.

pattern: use your build tool to extract a report of ALL the artifacts that went into your build (including build tool's plugins)

pattern: check CVE manually weekly or automatically

(src:

• Model: OWASP top 10

• Book: release it! - Michael Nygard)