Autofix for Open Source Deps: Extended Lifetime Support

Updating to the latest version of an open source dependency can be a difficult task as breaking changes require application changes. When updating to the latest version of a package is not a viable option, you can stay secure by using hardened libraries or Aikido's Extended Lifetime Support (ELS).

Aikido offers a catalog of packages that solve security issues in versions of packages that are no longer maintained. These packages are drop-in replacements and don't require application changes.

For example the 1.x versions of log4j have been out of maintenance since 2015, but are still used in many projects. Updating these projects to log4j 2.x is infeasible in many cases. 1.2.17 is the latest 1.x version of log4j, it contains the following critical CVEs:

• CVE-2019-17571 - remote code execution

• CVE-2020-9493 - malicious code execution

• CVE-2022-23305 - SQL injection

Our ELS version of log4j 1.2.17 fixes these critical CVEs without introducing breaking changes.

The ELS packages are created by TuxCare. TuxCare specializes in End-Of-Life security and ports patches to unmaintained versions of packages.

AutoFix for Open Source Dependencies

Aikido AutoFix for open source dependencies will automatically propose an upgrade to an ELS version where available. This is visible on the AutoFix dependency overview screen. The Java ELS packages are hosted on maven.aikido.io.

In order to then upgrade to the ELS version, you need to select this option in the AutoFix creation modal.

Availability

ELS packages are currently available for Java, JavaScript and Python. Supported packages are listed below