Detecting Security Vulnerabilities using Clone Detection and Community Knowledge

Viertel, Fabien Patrick; Brunotte, Wasja; Strüber, Daniel; Schneider, Kurt

doi:10.18293/seke2019-183

Cited by 8 publications

(3 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Typically, software engineers are not qualified to spot vulnerabilities in code, community knowledge, such as publicly accessible vulnerability databases, can help (Viertel et al, 2019). Literature shows that there are three sources of vulnerability data; the first is public databases, such as CVE, NVD, or snyk.io; the second is software producers' databases, such as Microsoft security bulletins; the third is specialized databases (Massacci and Nguyen, 2010).…”

Section: Intrinsic Trust Factormentioning

confidence: 99%

A Systematic Literature Review on Trust in the Software Ecosystem

Hou¹,

Jansen²

2022

Preprint

View full text Add to dashboard Cite

Background: The worldwide software ecosystem is a trust-rich part of the world. Throughout the software life cycle, software engineers, software end-users, and other stakeholders collaboratively place their trust in major hubs in the ecosystem, such as package managers, repository services, and software components. However, as our reliance on software grows, this trust is frequently violated by bad actors and crippling vulnerabilities in the software supply chain, endangering our livelihoods and the resilience of our society. Purpose: The purpose of this study is to define trust in the worldwide software ecosystem, that is, to determine what signifies a trustworthy system or actor. By improving our understanding of trust, we can create novel mechanisms for protecting the software ecosystem from vulnerabilities and attacks. Methods: We conduct a systematic literature review on the concept of trust in the worldwide software ecosystem. We acknowledge that trust is something between two actors in the software ecosystem, and we examine what role trust plays in the relationships between end-users and (1) software products, (2) package managers, (3) software producing organizations, and (4) software engineers. Results: Two major findings emerged from the systematic literature review. To begin, we provide a definition of trust in the software ecosystem, including a theoretical framework that decomposes and signifies a theoretical understanding of trust. Second, we provide a list of trust factors that can be used to assemble an overview of software trust. Conclusion: Trust is critical in the communication between actors in the worldwide software ecosystem, particularly regarding software selection and evaluation, and can affect the outcome either positively or negatively. According to the frequency

show abstract

Section: Intrinsic Trust Factormentioning

confidence: 99%

A Systematic Literature Review on Trust in the Software Ecosystem

Hou¹,

Jansen²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Methods based on text [4] and lexical [5] approaches have the following limitations. They do not use information about the general structure of the code, which negatively affects the classification accuracy, and are also not effective for detecting Type-4 semantic clones.…”

Section: Introductionmentioning

confidence: 99%

Development of an algorithm for code clone detection in source code based on abstract syntax tree

Kubiuk,

Kyselov

2023

TAPR

View full text Add to dashboard Cite

The object of research of this work is the algorithm for searching for duplicates in the program code based on the Abstract Syntaxes Tree (AST). The main tasks solved within the framework of this study are the detection of duplicate code and the search for vulnerabilities in the program code. The obtained results showed that the proposed algorithm is resistant to type 1 and 2 clones, which means its effectiveness in detecting similar code fragments with identical or variant text. However, for type 3 and 4 clones, the algorithm may show less efficiency due to the change in the AST structure for these types of clones. Experimental studies of the proposed algorithm showed that the algorithm can detect matches between unrelated files due to the presence of typical AST chains present in many programs. This can lead to a certain level of false positives in the detection of duplicates. Testing of the algorithm in the task of finding vulnerabilities showed that: The best recognition is observed for the «SQL injection» vulnerability, but it also has the highest number of false positives. Memory leak and null pointer dereferencing vulnerabilities are detected with equal effectiveness and false positives. «Buffer overflow» has the lowest recognition rate but fewer false positives compared to «SQL injection». The study showed that the use of AST allows for the effective detection of duplicate code and vulnerabilities in the software code. The developed tool can help software developers reduce maintenance efforts, improve code quality, and ensure software product security.

show abstract

“…Source code clone research is a very active field which includes, among other things, research on technologies, algorithms and tools for clone detection (e.g., [39]), studies on the harmfulness of clones (e.g., [40]), studies of the relation between clones and vulnerabilities (e.g., [41]), technologies, algorithms and tools for code clone refactoring (e.g., [42]). This section is not meant to discuss all aspects of research on source code clone;…”

Section: Related Work On Overlapping Information In Clone Detection Rmentioning

confidence: 99%

Analysis and Maintainability of Complex Industry Test Code Using Clone Detection

Hasanain¹

View full text Add to dashboard Cite

Detecting Security Vulnerabilities using Clone Detection and Community Knowledge

Cited by 8 publications

References 20 publications

A Systematic Literature Review on Trust in the Software Ecosystem

A Systematic Literature Review on Trust in the Software Ecosystem

Development of an algorithm for code clone detection in source code based on abstract syntax tree

Analysis and Maintainability of Complex Industry Test Code Using Clone Detection

Contact Info

Product

Resources

About