Third-party libraries with commented code

A question about handling commented functional code. There are many third party libraries used in repositories, so if a developer decides to comment any amount of code inside one or more of the files from these libraries, should we consider this a functional commented code vulnerability?

-Investigating about the topic I learned that when a developer uncomments the code it may cause bugs or not compile at all because it wasn’t updated for too long. However I didn’t find anything specific about comments in third party libraries.

-I checked the code in internet and comparing I found out that in my particular case the developer edited a considerable amount of code. The commented parts aren’t commented in the original library code. I noticed the original code is 400 lines shorter.

-Considering this analysis, I think that when developers edit much of the file, it may be better to consider the commented functional code a vulnerability.

Could you update the initial question with:

  • your previous research on the topic
  • your initial analysis and conclusions
  • did you check if the library was not commented already?

Then we could build from there to give you the appropriate advice

The initial question has been updated with the suggested :+1:

It is a problem, but a different one. The dependencies or third-party libraries should not be versioned inside git. All apps should have a dependency manager, maven, pip, npm, etc. and the configuration file of this dependency manager is the only part that should be versioned. There is a vulnerability or security hygiene finding for that.

And reading again this case is even worse, because

  • third-party libraries should never be modified, you should use libraries, not patch external dependencies because that makes the whole software impossible to update (to a new patched library).
  • is possible to have licensing issues, many libraries are free for use, but modification needs a different procedure