Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies

Vulnerable dependencies are a known problem in today’s free open-source software ecosystems because FOSS libraries are highly interconnected, and developers do not always update their dependencies. Our paper proposes Vuln4Real, the methodology for counting actually vulnerable dependencies, that addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. To understand the industrial impact of a more precise methodology, we considered the 500 most popular FOSS Java libraries used by SAP in its own software. Our analysis included 25767 distinct library instances in Maven. We found that the proposed methodology has visible impacts on both ecosystem view and the individual library developer view of the situation of software dependencies: Vuln4Real significantly reduces the number of false alerts for deployed code (dependencies wrongly flagged as vulnerable), provides meaningful insights on the exposure to third-parties (and hence vulnerabilities) of a library, and automatically predicts when dependency maintenance starts lagging, so it may not receive updates for arising issues.

[1]  Marco Tulio Valente,et al.  Identifying unmaintained projects in github , 2018, ESEM.

[2]  Georgios Gousios,et al.  Structure and Evolution of Package Dependency Networks , 2017, 2017 IEEE/ACM 14th International Conference on Mining Software Repositories (MSR).

[3]  Fabio Massacci,et al.  A Qualitative Study of Dependency Management and Its Security Implications , 2020, CCS.

[4]  Achim D. Brucker,et al.  A Screening Test for Disclosed Vulnerabilities in FOSS Components , 2019, IEEE Transactions on Software Engineering.

[5]  Arie van Deursen,et al.  Tracking known security vulnerabilities in proprietary software systems , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[6]  Josh Levenberg,et al.  Why Google stores billions of lines of code in a single repository , 2016, Commun. ACM.

[7]  Tobias Lauinger,et al.  Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web , 2018, NDSS.

[8]  Tom Mens,et al.  On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images , 2019, 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[9]  J. I. Hejderup,et al.  In Dependencies We Trust: How vulnerable are dependencies in software modules? , 2015 .

[10]  Dirk Merkel,et al.  Docker: lightweight Linux containers for consistent development and deployment , 2014 .

[11]  Barry W. Boehm,et al.  Eight Lessons Learned during COTS-Based Systems Maintenance , 2003, IEEE Softw..

[12]  Sven Bugiel,et al.  Up-To-Crash: Evaluating Third-Party Library Updatability on Android , 2019, 2019 IEEE European Symposium on Security and Privacy (EuroS&P).

[13]  Marko C. J. D. van Eekelen,et al.  Measuring Dependency Freshness in Software Systems , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[14]  Jordi Cabot,et al.  An Empirical Study on the Maturity of the Eclipse Modeling Ecosystem , 2017, 2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS).

[15]  Marco Tulio Valente,et al.  Why modern open source projects fail , 2017, ESEC/SIGSOFT FSE.

[16]  Fabio Massacci,et al.  Vulnerable open source dependencies: counting those that matter , 2018, ESEM.

[17]  Cristina V. Lopes,et al.  Is Popularity a Measure of Quality? An Analysis of Maven Components , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[18]  Eleni Constantinou,et al.  A formal framework for measuring technical lag in component repositories — and its application to npm , 2019, J. Softw. Evol. Process..

[19]  Dietmar Pfahl,et al.  Reporting Experiments in Software Engineering , 2008, Guide to Advanced Empirical Software Engineering.

[20]  Katsuro Inoue,et al.  Do developers update their library dependencies? , 2017, Empirical Software Engineering.

[21]  Ellis E. Eghan,et al.  Tracing known security vulnerabilities in software repositories - A Semantic Web enabled modeling approach , 2016, Sci. Comput. Program..

[22]  Serena Elisa Ponta,et al.  Impact assessment for vulnerabilities in open-source software libraries , 2015, 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[23]  Fabio Massacci,et al.  The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google Chrome vulnerabilities , 2013, ASIA CCS '13.

[24]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[25]  R. Brown Statistical forecasting for inventory control , 1960 .

[26]  Fabio Massacci,et al.  An automatic method for assessing the versions affected by a vulnerability , 2015, Empirical Software Engineering.

[27]  Philippe Suter,et al.  A Look at the Dynamics of the JavaScript Package Ecosystem , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[28]  Klaas-Jan Stol,et al.  Is It All Lost? A Study of Inactive Open Source Projects , 2013, OSS.