Mitigating Persistence of Open-Source Vulnerabilities in Maven Ecosystem
- URL: http://arxiv.org/abs/2308.03419v1
- Date: Mon, 7 Aug 2023 09:11:26 GMT
- Title: Mitigating Persistence of Open-Source Vulnerabilities in Maven Ecosystem
- Authors: Lyuye Zhang, Chengwei Liu, Sen Chen, Zhengzi Xu, Lingling Fan, Lida
Zhao, Yiran Zhang, Yang Liu
- Abstract summary: Despite patches being released promptly after vulnerabilities are disclosed, the libraries and applications in the community still use the vulnerable versions.
We propose a solution for range restoration (Ranger) to automatically restore the compatible and secure version ranges of dependencies for downstream dependents.
- Score: 13.193125763978255
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Vulnerabilities from third-party libraries (TPLs) have been unveiled to
threaten the Maven ecosystem. Despite patches being released promptly after
vulnerabilities are disclosed, the libraries and applications in the community
still use the vulnerable versions, which makes the vulnerabilities persistent
in the Maven ecosystem (e.g., the notorious Log4Shell still greatly influences
the Maven ecosystem nowadays from 2021). Both academic and industrial
researchers have proposed user-oriented standards and solutions to address
vulnerabilities, while such solutions fail to tackle the ecosystem-wide
persistent vulnerabilities because it requires a collective effort from the
community to timely adopt patches without introducing breaking issues.
To seek an ecosystem-wide solution, we first carried out an empirical study
to examine the prevalence of persistent vulnerabilities in the Maven ecosystem.
Then, we identified affected libraries for alerts by implementing an algorithm
monitoring downstream dependents of vulnerabilities based on an up-to-date
dependency graph. Based on them, we further quantitatively revealed that
patches blocked by upstream libraries caused the persistence of
vulnerabilities. After reviewing the drawbacks of existing countermeasures, to
address them, we proposed a solution for range restoration (Ranger) to
automatically restore the compatible and secure version ranges of dependencies
for downstream dependents. The automatic restoration requires no manual effort
from the community, and the code-centric compatibility assurance ensures smooth
upgrades to patched versions. Moreover, Ranger along with the ecosystem
monitoring can timely alert developers of blocking libraries and suggest
flexible version ranges to rapidly unblock patch versions. By evaluation,
Ranger could restore 75.64% of ranges which automatically remediated 90.32% of
vulnerable downstream projects.
Related papers
- The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - On Security Weaknesses and Vulnerabilities in Deep Learning Systems [32.14068820256729]
We specifically look into deep learning (DL) framework and perform the first systematic study of vulnerabilities in DL systems.
We propose a two-stream data analysis framework to explore vulnerability patterns from various databases.
We conducted a large-scale empirical study of 3,049 DL vulnerabilities to better understand the patterns of vulnerability and the challenges in fixing them.
arXiv Detail & Related papers (2024-06-12T23:04:13Z) - FaultGuard: A Generative Approach to Resilient Fault Prediction in Smart Electrical Grids [53.2306792009435]
FaultGuard is the first framework for fault type and zone classification resilient to adversarial attacks.
We propose a low-complexity fault prediction model and an online adversarial training technique to enhance robustness.
Our model outclasses the state-of-the-art for resilient fault prediction benchmarking, with an accuracy of up to 0.958.
arXiv Detail & Related papers (2024-03-26T08:51:23Z) - Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem [0.773844059806915]
A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang.
It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities.
By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
arXiv Detail & Related papers (2023-12-31T14:53:51Z) - Dependency Practices for Vulnerability Mitigation [4.710141711181836]
We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable.
We identify over 200,000 npm packages that are infected through their dependencies.
We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
arXiv Detail & Related papers (2023-10-11T19:48:46Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Transformer-based Vulnerability Detection in Code at EditTime:
Zero-shot, Few-shot, or Fine-tuning? [5.603751223376071]
We present a practical system that leverages deep learning on a large-scale data set of vulnerable code patterns.
We show that in comparison with state of the art vulnerability detection models our approach improves the state of the art by 10%.
arXiv Detail & Related papers (2023-05-23T01:21:55Z) - Vulnerability Propagation in Package Managers Used in iOS Development [2.9280059958992286]
Vulnerabilities may be found even in well-known libraries.
The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager.
Although most libraries with publicly reported vulnerabilities are written in C, the highest impact of publicly reported vulnerabilities originated from libraries written in native iOS languages.
arXiv Detail & Related papers (2023-05-17T16:22:38Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Autosploit: A Fully Automated Framework for Evaluating the
Exploitability of Security Vulnerabilities [47.748732208602355]
Autosploit is an automated framework for evaluating the exploitability of vulnerabilities.
It automatically tests the exploits on different configurations of the environment.
It is able to identify the system properties that affect the ability to exploit a vulnerability in both noiseless and noisy environments.
arXiv Detail & Related papers (2020-06-30T18:49:18Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.