A06: Vulnerable and Outdated Components
Scan application dependencies to find and patch libraries with known vulnerabilities.
Interactive Simulation
Use a simulated dependency scanner to find and patch a vulnerable third-party library.
How to Simulate
- With the defense disabled, click "Scan Dependencies".
- Observe that the "OldQuery" library is flagged as vulnerable with a CVE identifier.
- Enable the "Patch Components" defense toggle to simulate updating the library.
- Run the scan again to confirm that all dependencies are now secure.
Explanation
Modern applications rely heavily on third-party libraries and components, often pulled from repositories like NPM or Maven. If a component has a known vulnerability (tracked with a CVE identifier) and the application is not patched, it becomes a weak point that attackers can exploit.
This is one of the most common and impactful attack vectors. Regular dependency scanning and a timely patching process are crucial for security.
Toggle Defense
This action simulates running a package manager (like `npm update`) to update the vulnerable "OldQuery" library to a new, secure version where the vulnerability has been fixed.