Write a Blog >>
ESEM 2021
Mon 11 - Fri 15 October 2021
Tue 12 Oct 2021 14:20 - 14:35 at ESEM ROOM - Testing & Security 1 Chair(s): Davide Fucci

Background: Modern software uses many third-party libraries and frameworks as dependencies. Known vulnerabilities in these dependencies are a potential security risk. Software composition analysis (SCA) tools, therefore, are being increasingly adopted by practitioners to keep track of vulnerable dependencies.

Aim: The goal of this study is to understand the difference in vulnerability reporting by various SCA tools. Understanding if and how existing SCA tools differ in their analysis may help security practitioners to choose the right tooling and identify future research needs.

Method: We present an in-depth case study by comparing the analysis reports of 9 industry-leading SCA tools on a large web application, OpenMRS, composed of Maven (Java) and npm (JavaScript) projects.

Results: We find that the tools vary in their vulnerability reporting. The count of reported vulnerable dependencies ranges from 17 to 332 for Maven and from 32 to 239 for npm projects across the studied tools. Similarly, the count of unique known vulnerabilities reported by the tools ranges from 36 to 313 for Maven and from 45 to 234 for npm projects. Our manual analysis of the tools’ results suggest that accuracy of the vulnerability database is a key differentiator for SCA tools.

Conclusion: We recommend that practitioners should not rely on any single tool at the present, as that can result in missing known vulnerabilities. We point out two research directions in the SCA space: i) establishing frameworks and metrics to identify false positives for dependency vulnerabilities; and ii) building automation technologies for continuous monitoring of vulnerability data from open source package ecosystems.

Tue 12 Oct

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:20 - 15:15
Testing & Security 1Technical Papers / Emerging Results and Vision papers at ESEM ROOM
Chair(s): Davide Fucci Blekinge Institute of Technology
A comparative study of vulnerability reporting by software composition analysis tools
Technical Papers
Nasif Imtiaz North Carolina State University, Seaver Thorn North Carolina State University, Laurie Williams North Carolina State University
Pre-print Media Attached
An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing
Technical Papers
Roland Croft , Dominic Newlands University of Adelaide, Ziyu Chen Monash University, Muhammad Ali Babar University of Adelaide
Pre-print Media Attached
An Empirical Analysis of Practitioners' Perspectives on Security Tool Integration into DevOps
Technical Papers
Roshan Namal Rajapakse The University of Adelaide, Mansooreh Zahedi The Univeristy of Melbourne, Muhammad Ali Babar University of Adelaide
Why Some Bug-bounty Vulnerability Reports are Invalid?
Emerging Results and Vision papers
Saman Shafigh University of New South Wales, Boualem Benatallah University of New South Wales, Carlos Rodriguez University of New South Wales, Mortada Al-Banna University of New South Wales

Information for Participants
Tue 12 Oct 2021 14:20 - 15:15 at ESEM ROOM - Testing & Security 1 Chair(s): Davide Fucci
Info for room ESEM ROOM: