Dependency on Vulnerable Third-Party Component
Dependency on Vulnerable Third-Party Component
CWE-1395
Per technology (GHSA, All time)
- 100%-Rust
Short description
Extended description
Best practices to prevent this CWE
Phase: Requirements; Policy
In some industries such as healthcare or technologies such as the cloud, it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Phase: Requirements
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM).
Phase: Architecture and Design; Implementation; Integration; Manufacturing
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to, "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Phase: Operation; Patching and Maintenance
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Phase: Operation; Patching and Maintenance
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
