hack.lu 2023

Non vulnerable package dependency resolution
2023-10-18 , Salle Europe

Until now, two worlds have mostly ignored each others: the resolution of a software package dependency tree or graph to meet functional constraints and the search for package versions are not subject to known, published vulnerabilities (aka. CVEs) . What if we could combine the functional version range constraints from software developers with the known vulnerable version ranges from security specialist?


Software package ecosystems such as Maven, npm and PyPI as well as Linux distros define rich conventions to document package metadata and dependency relationships and constraints.

Vulnerability databases define which range of a package versions are subject to a known vulnerability.

Until now, these contexts have been considered separately.
- package management tools resolve the version expression of the dependent package of a package to resolved versions in order to install the selected versions.
- security tools check if resolved package versions are affected by known vulnerabilities (even when integrated in a package management tool)

This leads to duplicated efforts and either to the resolution of a vulnerable dependency graph; or vulnerability remediation that ignore functional constraints and may demand significant code refactoring.

We propose a new approach to resolve software package vulnerable version ranges and dependency version constraints together.

The obvious benefit is that you get both at once: non-vulnerable code and up-to-date code, and this is something that is not currently done by software package managers nor by security check tools.

This is made possible because of a universal syntax to identify packages called Package URL, a universal notation for version ranges that support equally the functional constraints and the vulnerable ranges, and an on-demand dependency resolver that can use these as inputs. And also a vulnerability database that is keyed by Package URLs.

See also: Slides (447.2 KB)

I am a passionate FOSS hacker, lead maintainer of ScanCode, purlDB and VulnerableCode and on a mission to enable easier and safer to reuse FOSS code with best-in-class open source Software Composition Analysis (SCA) tools for open source discovery, license & security compliance at https://aboutcode.org

I am also a co-founder of SPDX and the creator of Package URL (purl) a de-facto standard to identify packages in SBOMs, SCA tools and vulnerability database used throughout the industry.

This speaker also appears in: