On the Security Blind Spots of Software Composition Analysis
- URL: http://arxiv.org/abs/2306.05534v2
- Date: Mon, 9 Oct 2023 23:48:50 GMT
- Title: On the Security Blind Spots of Software Composition Analysis
- Authors: Jens Dietrich, Shawn Rasheed, Alexander Jordan, Tim White
- Abstract summary: We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
- Score: 46.1389163921338
- License: http://creativecommons.org/licenses/by-nc-sa/4.0/
- Abstract: Modern software heavily relies on the use of components. Those components are
usually published in central repositories, and managed by build systems via
dependencies. Due to issues around vulnerabilities, licenses and the
propagation of bugs, the study of those dependencies is of utmost importance,
and numerous software composition analysis tools have emerged for this purpose.
A particular challenge are hidden dependencies that are the result of cloning
or shading where code from a component is "inlined", and, in the case of
shading, moved to different namespaces.
We present a novel approach to detect vulnerable clones in the Maven
repository. Our approach is lightweight in that it does not require the
creation and maintenance of a custom index. Starting with 29 vulnerabilities
with assigned CVEs and proof-of-vulnerability projects, we retrieve over 53k
potential vulnerable clones from Maven Central. After running our analysis on
this set, we detect 727 confirmed vulnerable clones (86 if versions are
aggregated) and synthesize a testable proof-of-vulnerability project for each
of those. We demonstrate that existing SCA tools often miss those exposures. At
the time of submission those results have led to changes to the entries for six
CVEs in the GitHub Security Advisory Database (GHSA) via accepted pull
requests, with more pending.
Related papers
- Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - How to Understand Whole Software Repository? [64.19431011897515]
An excellent understanding of the whole repository will be the critical path to Automatic Software Engineering (ASE)
We develop a novel method named RepoUnderstander by guiding agents to comprehensively understand the whole repositories.
To better utilize the repository-level knowledge, we guide the agents to summarize, analyze, and plan.
arXiv Detail & Related papers (2024-06-03T15:20:06Z) - EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data.
While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated.
We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
arXiv Detail & Related papers (2024-05-21T06:14:49Z) - Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain
With Auto-generated Static Analysis Rules [1.9591497166224197]
We propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules.
Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code.
We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++.
arXiv Detail & Related papers (2024-01-23T02:23:11Z) - Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem [0.773844059806915]
A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang.
It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities.
By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
arXiv Detail & Related papers (2023-12-31T14:53:51Z) - A Systematic Evaluation of Automated Tools for Side-Channel Vulnerabilities Detection in Cryptographic Libraries [6.826526973994114]
We surveyed the literature to build a classification of 34 side-channel detection frameworks.
We then built a benchmark of representative cryptographic operations on a selection of 5 promising detection tools.
We offer a classification of recently published side-channel vulnerabilities.
We find that existing tools can struggle to find vulnerabilities for a variety of reasons, mainly the lack of support for SIMD instructions, implicit flows, and internal secret generation.
arXiv Detail & Related papers (2023-10-12T09:18:26Z) - Detecting Security Fixes in Open-Source Repositories using Static Code
Analyzers [8.716427214870459]
We study the extent to which the output of off-the-shelf static code analyzers can be used as a source of features to represent commits in Machine Learning (ML) applications.
We investigate how such features can be used to construct embeddings and train ML models to automatically identify source code commits that contain vulnerability fixes.
We find that the combination of our method with commit2vec represents a tangible improvement over the state of the art in the automatic identification of commits that fix vulnerabilities.
arXiv Detail & Related papers (2021-05-07T15:57:17Z) - D2A: A Dataset Built for AI-Based Vulnerability Detection Methods Using
Differential Analysis [55.15995704119158]
We propose D2A, a differential analysis based approach to label issues reported by static analysis tools.
We use D2A to generate a large labeled dataset to train models for vulnerability identification.
arXiv Detail & Related papers (2021-02-16T07:46:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.