Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software

Ponta, Serena Elisa; Plate, Henrik; Sabetta, Antonino

doi:10.1109/icsme.2018.00054

Cited by 66 publications

(52 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this paper we rely on the terminology established among practitioners and used in well-known dependency manage- 3. Similarly to releasing Eclipse Steady (https://eclipse.github.io/ steady/) after publishing [6], we are planning to undergo the SAP procedure for publishing the tool behind Vuln4Real as FOSS. A reader interested in accessing the tool may contact the corresponding author.…”

Section: Terminologymentioning

confidence: 99%

“…We rely on the works from Plate et al [18] and Ponta et al [6], who propose a precise approach to use the patchbased mapping of vulnerabilities onto the affected components (see Section 6).…”

Section: Vulnerability Matching Approachesmentioning

confidence: 99%

“…To avoid the false positive and false negative inflation introduced by name-based vulnerability matching ( [13], [14], [15]), we leverage on precise code-based approaches to vulnerability detection such as Ponta et al [6] and Dashevskyi et al [29]. Starting from known vulnerabilities disclosed in the NVD, advisories, bug tracking systems, etc., we manually identified and analyzed the commit fixing the vulnerability.…”

Section: Step 5: Identification Of Dependencies With Known Vulnerabilmentioning

confidence: 99%

“…The creation of such knowledge is a one-time effort for each vulnerability. Then, for every analyzed project, the list of all withinproject libraries of the project and all its dependencies is collected by performing a code-level matching of the vulnerable fragment following the approach of [6]. Whenever the vulnerable code fragment is contained within a dependency, the corresponding vulnerability is automatically reported for our analysis.…”

Section: Step 5: Identification Of Dependencies With Known Vulnerabilmentioning

confidence: 99%

“…This allows us to construct the resolved dependency tree for each library instance. • uses the code-based approach of [6] to annotate dependency trees with the vulnerability data at our disposal.…”

Section: Library Selection -The Way We Followedmentioning

confidence: 99%

See 4 more Smart Citations

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

Vulnerable dependencies are a known problem in today's free open-source software ecosystems because FOSS libraries are highly interconnected, and developers do not always update their dependencies. Our paper proposes Vuln4Real, the methodology for counting actually vulnerable dependencies, that addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. To understand the industrial impact of a more precise methodology, we considered the 500 most popular FOSS Java libraries used by SAP in its own software. Our analysis included 25767 distinct library instances in Maven. We found that the proposed methodology has visible impacts on both ecosystem view and the individual library developer view of the situation of software dependencies: Vuln4Real significantly reduces the number of false alerts for deployed code (dependencies wrongly flagged as vulnerable), provides meaningful insights on the exposure to third-parties (and hence vulnerabilities) of a library, and automatically predicts when dependency maintenance starts lagging, so it may not receive updates for arising issues.

show abstract

Section: Terminologymentioning

confidence: 99%

Section: Vulnerability Matching Approachesmentioning

confidence: 99%

Section: Step 5: Identification Of Dependencies With Known Vulnerabilmentioning

confidence: 99%

Section: Step 5: Identification Of Dependencies With Known Vulnerabilmentioning

confidence: 99%

Section: Library Selection -The Way We Followedmentioning

confidence: 99%

See 3 more Smart Citations

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

show abstract

A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities

Gkortzis

Feitosa

Spinellis

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Reuse is a common and often-advocated software development practice. Significant efforts have been invested into facilitating it, leading to advancements such as software forges, package managers, and the widespread integration of open source components into proprietary software systems. Reused software can make a system more secure through its maturity and extended vetting, or increase its vulnerabilities through a larger attack surface or insecure coding practices. To shed more light on this issue, we investigate the relationship between software reuse and potential security vulnerabilities, as assessed through static analysis. We empirically investigated 301 open source projects in a holistic multiple-case methods study. In particular, we examined the distribution of potential vulnerabilities between the native code created by a project's development team and external code reused through dependencies, as well as the correlation between the ratio of reuse and the density of vulnerabilities. The results suggest that the amount of potential vulnerabilities in both native and reused code increases with larger project sizes. We also found a weak-to-moderate correlation between a higher reuse ratio and a lower density of vulnerabilities. Based on these findings it appears that code reuse is neither a frightening werewolf introducing an excessive number of vulnerabilities nor a silver bullet for avoiding them.

show abstract

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

Hell

Höst

2021

Product-Focused Software Process Improvement

View full text Add to dashboard Cite

The increase in both the use of open-source software (OSS) and the number of new vulnerabilities reported in this software constitutes an increased threat to businesses, people, and our society. To mitigate this threat, vulnerability information must be efficiently handled in organizations. In addition, where e.g., IoT devices are integrated into systems, such information must be disseminated from producers, who are implementing patches and new firmware, to acquirers who are responsible for maintaining the systems. We conduct an exploratory case study with one producer of IoT devices and one acquirer of the same devices, where the acquirer integrates the devices into larger systems. Through this two-sided case study, we describe company roles, internal and intercompany communication, and the decisions that need to be made with regard to cybersecurity vulnerabilities. We also identify and discuss both challenges and opportunities for improvements, from the point of view of both the producer and acquirer.

show abstract

Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software

Cited by 66 publications

References 17 publications

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities

Communicating Cybersecurity Vulnerability Information: A Producer-Acquirer Case Study

Contact Info

Product

Resources

About