In a CI/CD pipeline, a code quality check fails due to a security vulnerability in a third-party library. What is the best practice to address this?
Updating to the latest patched version resolves the vulnerability and maintains compatibility.
Why this answer
Updating the library to a patched version directly resolves the security vulnerability at its source, aligning with the principle of supply chain security in CI/CD pipelines. This practice ensures that the codebase uses a version of the dependency that has been officially fixed by the maintainer, preventing exploitation without altering the application's functionality or introducing unnecessary risk.
Exam trap
Cisco often tests the misconception that security vulnerabilities can be mitigated with network controls (like firewalls) or by ignoring the issue, rather than addressing the root cause through dependency updates.
How to eliminate wrong answers
Option A is wrong because suppressing the warning ignores the vulnerability, leaving the application exposed to potential exploitation; it violates the security-first principle of DevSecOps. Option C is wrong because a firewall rule only attempts to block network-level access to the vulnerability, which does not fix the underlying insecure code in the library and can be bypassed; it is a network control, not a code fix. Option D is wrong because removing the dependency and rewriting the code is an extreme, time-consuming measure that is unnecessary when a patched version is available; it ignores the standard practice of dependency management and version updates.