Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2021
DOI: 10.1145/3475716.3475769
|View full text |Cite
|
Sign up to set email alerts
|

A comparative study of vulnerability reporting by software composition analysis tools

Abstract: Background: Modern software uses many third-party libraries and frameworks as dependencies. Known vulnerabilities in these dependencies are a potential security risk. Software composition analysis (SCA) tools, therefore, are being increasingly adopted by practitioners to keep track of vulnerable dependencies. Aim: The goal of this study is to understand the difference in vulnerability reporting by various SCA tools. Understanding if and how existing SCA tools differ in their analysis may help security practiti… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
10
0

Year Published

2022
2022
2024
2024

Publication Types

Select...
4
4
1

Relationship

1
8

Authors

Journals

citations
Cited by 45 publications
(10 citation statements)
references
References 20 publications
0
10
0
Order By: Relevance
“…A comparable feature is not present in most compiled languages, like Java, C/C++ or Ruby. In such cases, Integrity check of dependencies through cryptographic hashes [9], [36], [83], [109], [131], [135], [138] 3.3 3.0 2.5 2.0 1.32 Y N 2.3 2.0 Maintain detailed SBOM [5], [8], [53], [183], [184] and perform SCA [8], [31], [43], [48], [51], [53], [55] [42], [123], [185] Code signing [47], [83], [109], [135], [138], [141] Application Security Testing [34], [39], [41], [46], [55], [56], [58], [66], [80], [122], [134], [187] 4 execution is achieved either at runtime, e.g., by embedding the payload in a specific function or initializer, or by poisoning test routines [19]. Differences also exist in regards to code obfuscation and malware detection.…”
Section: Discussionmentioning
confidence: 99%
“…A comparable feature is not present in most compiled languages, like Java, C/C++ or Ruby. In such cases, Integrity check of dependencies through cryptographic hashes [9], [36], [83], [109], [131], [135], [138] 3.3 3.0 2.5 2.0 1.32 Y N 2.3 2.0 Maintain detailed SBOM [5], [8], [53], [183], [184] and perform SCA [8], [31], [43], [48], [51], [53], [55] [42], [123], [185] Code signing [47], [83], [109], [135], [138], [141] Application Security Testing [34], [39], [41], [46], [55], [56], [58], [66], [80], [122], [134], [187] 4 execution is achieved either at runtime, e.g., by embedding the payload in a specific function or initializer, or by poisoning test routines [19]. Differences also exist in regards to code obfuscation and malware detection.…”
Section: Discussionmentioning
confidence: 99%
“…A number of free and commercial software composition analysis (SCA) tools exist that analyze the open-source components of a project for security risks and license compliance. Each of them differs widely in terms of accuracy, the quality of the vulnerability database, and the level of granularity [33]. For instance, OWASP DC [34] analyzes dependency files of a project and notifies developers if known vulnerabilities are present in the project's transitive dependencies.…”
Section: Towards Intelligent Software Composition Analy-sismentioning
confidence: 99%
“…Supply chain security: Recent works have focused on the secure use of open source dependencies as part of the software supply chain [24,31,40,41]. Duan et al have proposed static and dynamic analysis approaches to detect malicious packages for the interpreted languages [19], while Sejfia et al have proposed machine learning models to detect malicious npm packages [33].…”
Section: Related Workmentioning
confidence: 99%
“…[31,40] Therefore, practitioners are now recommended to review dependency updates before merging them into the codebase [3,39], as the responsibility of security lies on the consumer when using free open-source code [38]. However, manually reviewing all the code changes in each update may not be a practical solution, as projects may have hundreds of direct and transitive dependencies [24,34]. Further, actively maintained packages get frequent updates, overburdening any project that would employ such strict measures.…”
Section: Introductionmentioning
confidence: 99%