Software Defectsfield guide to stateful defects

unpinned, unscanned, and unreproducible supply chains

Dependency Issues (SCA)

Software Composition Analysis is about the code you depend on: unpinned versions make builds non-reproducible, missing lockfiles let the tree drift, and unscanned dependencies carry known CVEs straight into production.

Code you didn't write still ships in your build -- pin it, lock it, and scan it.

01in the wild

In the wild

Pin the Tree

Caret ranges float to whatever published last; a committed lockfile makes installs byte-identical.

example.js
// SMELL: caret ranges float to whatever published last
"dependencies": { "left-pad": "^1.0.0" }   // 1.0.0? 1.9.3? who knows

// RIGHT: commit the lockfile so installs are byte-identical
// package-lock.json / yarn.lock pins the entire tree.
// CI: `npm ci` (not `npm install`) installs exactly the lock.
^1.0.0 resolves differently over time. A committed lockfile makes every machine install the same tree -- the cure for 'works on my machine'.
// observed
no lock: two devs, two dependency trees
npm ci:  identical install everywhere

Pin the Versions (and Scan Them)

Unpinned requirements drift on every install; pinning freezes the build and lets a scanner check for CVEs.

example.py
# SMELL: unpinned requirements drift on every install
requests
flask

# RIGHT: pin exact versions (and hashes), then scan them
requests==2.32.3   # produced by pip-compile (pip-tools)
flask==3.0.3
# CI: `pip-audit` flags pinned versions with known CVEs
Pinning exact versions freezes the build; an SCA tool (pip-audit, Dependabot) then checks those pins against vulnerability databases.
// observed
unpinned: surprise upgrade breaks prod at 2am
pinned:   reproducible -- and auditable for CVEs

Lock the Infrastructure

Infrastructure dependencies drift too; a committed provider lock keeps applies deterministic.

example.tf
# Terraform: same lesson, infrastructure edition
# SMELL: unconstrained provider -> drift between applies
terraform {
  required_providers { aws = {} }
}

# RIGHT: pin the provider and commit .terraform.lock.hcl
terraform {
  required_providers {
    aws = { source = "hashicorp/aws", version = "~> 5.40" }
  }
}
Infrastructure dependencies drift too. A committed provider lock keeps terraform apply reproducible across the team.
// observed
unpinned: provider upgrades silently change infra
locked:   plan/apply are deterministic
02weakness catalog

Mapped weaknesses (CWE)

On its own, this defect is catalogued by MITRE as one or more of these weaknesses. The exploitable vulnerability usually appears only when it chains or combines with another.