The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach
- URL: http://arxiv.org/abs/2409.06390v1
- Date: Tue, 10 Sep 2024 10:12:37 GMT
- Title: The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach
- Authors: Giacomo Benedetti, Serena Cofano, Alessandro Brighente, Mauro Conti,
- Abstract summary: Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
- Score: 56.4040698609393
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: The Software Supply Chain (SSC) security is a critical concern for both users and developers. Recent incidents, like the SolarWinds Orion compromise, proved the widespread impact resulting from the distribution of compromised software. The reliance on open-source components, which constitute a significant portion of modern software, further exacerbates this risk. To enhance SSC security, the Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. However, despite its promise, SBOMs are not without limitations. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies, leading to the creation of erroneous or incomplete representations of the SSC. Despite existing studies exposing these limitations, their impact on the vulnerability detection capabilities of security tools is still unknown. In this paper, we perform the first security analysis on the vulnerability detection capabilities of tools receiving SBOMs as input. We comprehensively evaluate SBOM generation tools by providing their outputs to vulnerability identification software. Based on our results, we identify the root causes of these tools' ineffectiveness and propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings. PIP-sbom provides improved accuracy in component identification and dependency resolution. Compared to best-performing state-of-the-art tools, PIP-sbom increases the average precision and recall by 60%, and reduces by ten times the number of false positives.
Related papers
- Improving Discovery of Known Software Vulnerability For Enhanced Cybersecurity [0.0]
Vulnerability detection relies on standardized identifiers such as Common Platformion (CPE) strings.
Non-standardized CPE strings issued by software vendors create a significant challenge.
Inconsistent naming conventions, and versioning practices lead to mismatches when querying databases.
arXiv Detail & Related papers (2024-12-21T12:43:52Z) - Supply Chain Insecurity: The Lack of Integrity Protection in SBOM Solutions [0.0]
The Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security.
Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States.
This work presents an in-depth and systematic investigation into the integrity of SBOMs.
arXiv Detail & Related papers (2024-12-06T15:52:12Z) - Enhanced LLM-Based Framework for Predicting Null Pointer Dereference in Source Code [2.2020053359163305]
We propose a novel approach using a fine-tuned Large Language Model (LLM) termed "DeLLNeuN"
Our model showed 87% accuracy with 88% precision using the Draper VDISC dataset.
arXiv Detail & Related papers (2024-11-29T19:24:08Z) - A Landscape Study of Open Source and Proprietary Tools for Software Bill
of Materials (SBOM) [3.1190983209295076]
Software Bill of Materials (SBOM) is a repository that inventories all third-party components and dependencies used in an application.
Recent supply chain breaches underscore the urgent need to enhance software security and vulnerability risks.
This research paper conducts an empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM.
arXiv Detail & Related papers (2024-02-17T00:36:20Z) - Identifying the Risks of LM Agents with an LM-Emulated Sandbox [68.26587052548287]
Language Model (LM) agents and tools enable a rich set of capabilities but also amplify potential risks.
High cost of testing these agents will make it increasingly difficult to find high-stakes, long-tailed risks.
We introduce ToolEmu: a framework that uses an LM to emulate tool execution and enables the testing of LM agents against a diverse range of tools and scenarios.
arXiv Detail & Related papers (2023-09-25T17:08:02Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - AIBugHunter: A Practical Tool for Predicting, Classifying and Repairing
Software Vulnerabilities [27.891905729536372]
AIBugHunter is a novel ML-based software vulnerability analysis tool for C/C++ languages that is integrated into Visual Studio Code.
We propose a novel multi-objective optimization (MOO)-based vulnerability classification approach and a transformer-based estimation approach to help AIBugHunter accurately identify vulnerability types and estimate severity.
arXiv Detail & Related papers (2023-05-26T04:21:53Z) - A survey on hardware-based malware detection approaches [45.24207460381396]
Hardware-based malware detection approaches leverage hardware performance counters and machine learning prowess.
We meticulously analyze the approach, unraveling the most common methods, algorithms, tools, and datasets that shape its contours.
The discussion extends to crafting mixed hardware and software approaches for collaborative efficacy, essential enhancements in hardware monitoring units, and a better understanding of the correlation between hardware events and malware applications.
arXiv Detail & Related papers (2023-03-22T13:00:41Z) - Free Lunch for Generating Effective Outlier Supervision [46.37464572099351]
We propose an ultra-effective method to generate near-realistic outlier supervision.
Our proposed textttBayesAug significantly reduces the false positive rate over 12.50% compared with the previous schemes.
arXiv Detail & Related papers (2023-01-17T01:46:45Z) - Federated Learning with Unreliable Clients: Performance Analysis and
Mechanism Design [76.29738151117583]
Federated Learning (FL) has become a promising tool for training effective machine learning models among distributed clients.
However, low quality models could be uploaded to the aggregator server by unreliable clients, leading to a degradation or even a collapse of training.
We model these unreliable behaviors of clients and propose a defensive mechanism to mitigate such a security risk.
arXiv Detail & Related papers (2021-05-10T08:02:27Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.