SV-AF — A Security Vulnerability Analysis Framework

The globalization of the software industry has introduced a widespread use of system components across traditional system boundaries. Due to this global reuse, also vulnerabilities and security concerns are no longer limited in their scope to individual systems but instead can now affect global software ecosystems. While known vulnerabilities and security concerns are reported in specialized vulnerability databases, these repositories often remain information silos. In this research, we introduce a modeling approach, which eliminates these silos by linking security knowledge with other software artifacts to improve traceability and trust in software products. In our approach, we introduce a Security Vulnerabilities Analysis Framework (SV-AF) to support evidence based vulnerability detection. Two case studies are presented to illustrate the applicability of our presented approach. In these case studies, we link the NVD vulnerability databases and the Maven build repository to trace vulnerabilities across repository and project boundaries. In our analysis, we identify that 750 Maven project releases are directly affected by known security vulnerabilities and by considering transitive dependencies, an additional 415604 Maven projects can be identified as potentially affected by these vulnerabilities.

[1]  Jeffrey S. Foster,et al.  A comparison of bug finding tools for Java , 2004, 15th International Symposium on Software Reliability Engineering.

[2]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[3]  Measuring the Occurrence of Security-Related Bugs through Software Evolution , 2012, 2012 16th Panhellenic Conference on Informatics.

[4]  Georgios Gousios,et al.  The bug catalog of the maven ecosystem , 2014, MSR 2014.

[5]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[6]  Arie van Deursen,et al.  Tracking known security vulnerabilities in proprietary software systems , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[7]  Thomas Grechenig,et al.  Combining software interrelationship data across heterogeneous software repositories , 2015, 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[8]  Gerald Reif,et al.  SEON: a pyramid of ontologies for software evolution and its applications , 2012, Computing.

[9]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[10]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[11]  Y. Wilks,et al.  Artificial Believers: The Ascription of Belief , 1991 .

[12]  Bob DuCharme,et al.  Learning SPARQL , 2013 .

[13]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[14]  Cristina V. Lopes,et al.  A dataset for maven artifacts and bug patterns found in them , 2014, MSR 2014.

[15]  Ellis E. Eghan,et al.  Tracing known security vulnerabilities in software repositories - A Semantic Web enabled modeling approach , 2016, Sci. Comput. Program..

[16]  Lise Getoor,et al.  A short introduction to probabilistic soft logic , 2012, NIPS 2012.

[17]  Peter Friess,et al.  Internet of Things: Converging Technologies for Smart Environments and Integrated Ecosystems , 2013 .

[18]  James A. Hendler,et al.  The Semantic Web" in Scientific American , 2001 .