# Software Supply Chain Failures (A03:2025)

Expanded from 'Vulnerable and Outdated Components' to address broader supply chain risks including unknown vulnerabilities introduced by third-parties, compromised packages, and build system attacks.

## Overview

New category for 2025. The previous 'Vulnerable and Outdated Components' has evolved to encompass the full spectrum of supply chain risks, including compromised dependencies, typosquatting, and CI/CD pipeline attacks.

## How Attackers Exploit This

### Typosquatting attack

Malicious packages with names similar to popular libraries are published to package registries, hoping developers will install them by mistake.

**Detection signal:** Dependencies with unusual names, recent package publications, or low download counts

### Compromised maintainer

An attacker gains access to a legitimate package maintainer's account and publishes malicious updates.

**Detection signal:** Unexpected version bumps, new dependencies added, obfuscated code in updates

### Build system compromise

CI/CD pipelines are compromised to inject malicious code during the build process.

**Detection signal:** Build artifacts differ from source, unexpected network calls during build

## How to Prevent

- Remove unused dependencies, features, components, and documentation
- Continuously inventory component versions and their dependencies using SBOM
- Monitor sources like CVE, NVD, and OSV for vulnerabilities in components
- Only obtain components from official sources over secure links
- Verify package integrity using checksums and signatures
- Implement lockfiles and review dependency updates carefully
- Secure CI/CD pipelines with proper access controls and audit logging
- Use dependency scanning tools in your build pipeline

## CWEs with Detection Rules (2)

- **CWE-1104**: Use of Unmaintained Third Party Components (5 rules) [dockerfile, javascript]
- **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere (4 rules) [go, javascript, typescript, yaml, python]

## Other Mapped CWEs (7)

- CWE-426: CWE-426
- CWE-427: CWE-427
- CWE-494: Download of Code Without Integrity Check
- CWE-830: CWE-830
- CWE-937: CWE-937
- CWE-1035: Using Components with Known Vulnerabilities
- CWE-1357: CWE-1357

## Quick Reference

- Total CWEs: 9
- With Shoulder rules: 2
- Detection rules: 9