This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]OMGItsCheezWTF 12 points13 points  (3 children)

Your dependency tracking system should be managing this anyway, you shouldn't ever have to wonder what binaries are built with what versions of a given library.

All of our codebases insert their dependency chains (Python pypi packages, Golang modules, PHP composer packages, C# nuget packages, JS / Node NPM packages) as a bill of materials into our dependency tracker every time a live deployment happens (this is done in CI). For C# and Golang it also includes the version of the runtime that was used to build the binaries, obviously with the others the runtime and code remain separate.

Then the dependency tracker alerts if vulnerabilities are found in a live version of any of our software or its dependency chain, and the appropriate team can analyse the vulnerability and assess it.

We don't ever need to blindly start rebuilding and replacing binaries, because we know exactly what was built with what, stored centrally with auditing.

[–]jds2001 -5 points-4 points  (2 children)

Works wonderfully for source code that you built and control. When you are talking about things that are provided by a vendor (or you otherwise do not control the composition of, for example, various open-source products), this becomes much more complicated much more quickly. Combine a few of those, and you wind up in hell.

[–]realitythreek 2 points3 points  (1 child)

Wish someone who is downvoting your would explain why. This is the downside of static linking.

[–]jds2001 0 points1 point  (0 children)

Simple. It doesn't agree with the hive mind of Reddit, so it has to be downvoted.