Resolve #2467 by splitting and clarifying the 3rd party vuln requirem…

…ents (#2489) * Resolve #2467 by splitting and clarifying the 3rd party vuln requirements * tag fix --------- Co-authored-by: Elar Lang <47597707+elarlang@users.noreply.github.com>
OWASP · Jan 1, 2025 · 2b6c28e · 2b6c28e
1 parent c1cce51
commit 2b6c28e
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/5.0/en/0x18-V10-Coding.md b/5.0/en/0x18-V10-Coding.md
@@ -16,6 +16,7 @@ This chapter also contains requirements to prevent the introduction of malicious
 | **1.10.2** | [MODIFIED, MOVED FROM 14.2.5, MERGED FROM 14.2.4] Verify that an inventory catalog, such as software bill of materials (SBOM), is maintained of all third-party libraries in use, including verifying that components come from pre-defined, trusted, and continually maintained repositories. | | ✓ | ✓ | |
 | **1.10.3** | [ADDED, SPLIT FROM 14.2.6] Verify that application documentation highlights "risky" third party libraries which should include: libraries which perform operations which are dangerous from a security perspective, libraries which are poorly maintained, unsupported, or end of life, libraries which have historically had several significant vulnerabilities, etc. | | | ✓ | 1061 |
 | **1.10.4** | [ADDED, SPLIT FROM 1.14.5] Verify that application documentation highlights parts of the application where "risky" operations are being performed. "Risky" in this context means those with a high likelihood of being dangerously exploited such as: deserialization of untrusted data, raw file parsing, direct memory manipulation, etc. | | | ✓ | |
+| **1.10.4** | [ADDED, SPLIT FROM 14.2.1] Verify that application documentation defines risk based remediation time frames for 3rd party component versions with vulnerabilities and for updating libraries in general, to minimize the risk from these components. | ✓ | ✓ | ✓ | |
 
 ## V10.1 Code Integrity
 
@@ -75,7 +76,7 @@ Dependency management is critical to the safe operation of any application of an
 
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
-| **10.6.1** | [MODIFIED, MOVED FROM 14.2.1] Verify that all components are up to date. | ✓ | ✓ | ✓ | |
+| **10.6.1** | [ADDED, SPLIT FROM 14.2.1] Verify that the application only contains components which have not breached the documented update and remediation time frames. | ✓ | ✓ | ✓ | |
 | **10.6.2** | [MODIFIED, MOVED FROM 10.3.2] Verify that third-party components and all of their transitive dependencies are included from the expected repository, whether internally owned or an external source, and that there is no risk of a dependency confusion attack. | ✓ | ✓ | ✓ | 427 |
 
 ## V10.7 Concurrency

diff --git a/5.0/en/0x22-V14-Config.md b/5.0/en/0x22-V14-Config.md
@@ -48,7 +48,7 @@ Compliance with this section requires an automated build system, and access to b
 
 | # | Description | L1 | L2 | L3 | CWE |
 | :---: | :--- | :---: | :---: | :---: | :---: |
-| **14.2.1** | [MOVED TO 10.6.1] | | | | |
+| **14.2.1** | [SPLIT TO 1.10.5, 10.6.1] | | | | |
 | **14.2.2** | [MOVED TO 14.1.6] | | | | |
 | **14.2.3** | [MOVED TO 50.7.1] | | | | |
 | **14.2.4** | [DELETED, MERGED TO 1.10.2] | | | | |