Detection, assessment and mitigation of vulnerabilities in open source dependencies

  • PDF / 2,320,106 Bytes
  • 41 Pages / 439.642 x 666.49 pts Page_size
  • 111 Downloads / 165 Views

DOWNLOAD

REPORT

Detection, assessment and mitigation of vulnerabilities in open source dependencies Serena Elisa Ponta1

· Henrik Plate1 · Antonino Sabetta1

© The Author(s) 2020

Abstract Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. Eclipse Steady, the open source implementation of our code-centric and usage-based approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate Eclipse Steady, we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check (OWASP DC), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings reported only by one of the two tools revealed that all Steady findings are true positives, while 88.8% of the findings of OWASP DC for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of OWASP DC findings are true positives. Communicated by: David Lo and Foutse Khomh This article belongs to the Topical Collection: Software Maintenance and Evolution (ICSME)  Serena Elisa Ponta

[email protected] Henrik Plate [email protected] Antonino Sabetta [email protected] 1

SAP Security Research, Mougins, France

Empirical Software Engineering

Keywords Open source software · Publicly known vulnerabilities · Code-centric vulnerability analysis · Combination of static and dynamic analysis · Usage-based update support

1 Introduction The use of OSS libraries as well as the number of available libraries are ever-increasing: Synopsys Black Duck (2019) reports that over 96% of the applications they analyzed include OSS libraries, whose code often weighs more than 50% of the average code-base; Snyk (2019) reports a growth of 102% in the number Java OSS libraries available in Maven Central and of 40% for Python libraries in the Python package index (Pypi)

Data Loading...

Recommend Documents
Efficient Source Selection for Error Detection via Matching Dependencies

178 67 53MB

Open Source

185 14 239KB

Assessment and Mitigation

157 41 25MB

Open Source

243 84 54MB

Counterterrorism and Open Source Intelligence

189 13 14MB

Unexploded Ordnance Detection and Mitigation

142 40 35MB

Deegree Open Source Framework

187 43 239KB

Open-Source GIS Libraries

164 63 136KB

Correction to: On the Assessment of Security and Performance Bugs in Chromium Open-Source Project

156 106 36MB

Open Source Knowledge Management

235 52 4MB

Open-Source GIS

212 69 239KB

Open Source Biotechnology

176 75 54MB