A Screening Test for Disclosed Vulnerabilities in FOSS Components

Dashevskyi, Stanislav; Brucker, Achim D.; Massacci, Fabio

doi:10.1109/tse.2018.2816033

Cited by 29 publications

(15 citation statements)

References 49 publications

(130 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• If a patch to fix the vulnerability in the dependency exists use the code-base approach by Plate et al [18] and [29] to compare the nodes of the dependency tree of the version of interest to check whether one of them is affected • If no such fix exists report the vulnerability according to database approach (i.e., listed version in the vulnerability dataset).…”

Section: Table 3 Vuln4real Methodology Overviewmentioning

confidence: 99%

“…To avoid the false positive and false negative inflation introduced by name-based vulnerability matching ( [13], [14], [15]), we leverage on precise code-based approaches to vulnerability detection such as Ponta et al [6] and Dashevskyi et al [29]. Starting from known vulnerabilities disclosed in the NVD, advisories, bug tracking systems, etc., we manually identified and analyzed the commit fixing the vulnerability.…”

Section: Step 5: Identification Of Dependencies With Known Vulnerabilmentioning

confidence: 99%

“…We have also extracted the number of usages of the libraries in our sample as reported in mvnrepository.com. Figure 4 shows that the libraries in our sample are popular 29 within FOSS projects: 121 libraries are used by more than 1000 other libraries (and even more library versions), while median library has 291 dependents.…”

Section: Library Selection -The Way We Followedmentioning

confidence: 99%

“…• applies path simplifications and produces the results in the form of a human-readable report. 29. We have manually checked 27 libraries that have less than 10 usages and we found that they might be industry-specific libraries: e.g., they may have groupIds like com.sap.*.…”

Section: Library Selection -The Way We Followedmentioning

confidence: 99%

See 3 more Smart Citations

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

Vulnerable dependencies are a known problem in today's free open-source software ecosystems because FOSS libraries are highly interconnected, and developers do not always update their dependencies. Our paper proposes Vuln4Real, the methodology for counting actually vulnerable dependencies, that addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. To understand the industrial impact of a more precise methodology, we considered the 500 most popular FOSS Java libraries used by SAP in its own software. Our analysis included 25767 distinct library instances in Maven. We found that the proposed methodology has visible impacts on both ecosystem view and the individual library developer view of the situation of software dependencies: Vuln4Real significantly reduces the number of false alerts for deployed code (dependencies wrongly flagged as vulnerable), provides meaningful insights on the exposure to third-parties (and hence vulnerabilities) of a library, and automatically predicts when dependency maintenance starts lagging, so it may not receive updates for arising issues.

show abstract

Section: Table 3 Vuln4real Methodology Overviewmentioning

confidence: 99%

Section: Step 5: Identification Of Dependencies With Known Vulnerabilmentioning

confidence: 99%

Section: Library Selection -The Way We Followedmentioning

confidence: 99%

Section: Library Selection -The Way We Followedmentioning

confidence: 99%

See 2 more Smart Citations

Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Pashchenko

Plate²,

Ponta³

et al. 2022

IIEEE Trans. Software Eng.

Self Cite

View full text Add to dashboard Cite

show abstract

“…. Unfortunately, MOSS prosumers cannot expect to systematically receive information about security flaws in the 3rd party components of their projects [E2.3]: the practices for reporting vulnerabilities vary across projects and ecosystems, and it is well-known that only a minor part is represented in de-facto vulnerability databases such as the NVD [38], which also suffer from poor accuracy [39], [40]. This makes it difficult for applications that depend on those components to understand the impact of the vulnerability and to correctly determine and compare mitigation strategies (e.g., whether upgrading to a more recent, non-vulnerable version of the component is urgent, or if an application-level change could effectively mitigate the vulnerability at hand and make a potentially expensive version update unnecessary [41]).…”

Section: A Continuous Validation Of Design's Securitymentioning

confidence: 99%