Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite
Tue 10 May 2022 21:05 - 21:10 at ICSE room 2-odd hours - Software Security 4 Chair(s): Hamid Bagheri
The use of vulnerable open-source dependencies is a known problem in today’s software development. Several vulnerability scanners to detect known-vulnerable dependencies appeared in the last decade, however, there exists no case study investigating the impact of development practices, e.g., forking, patching, re-bundling, on their performance. This paper studies (i) types of modifications that may affect vulnerable open-source dependencies and (ii) their impact on the performance of vulnerability scanners. Through an empirical study on 7024 Java projects developed at SAP, we identified four types of modifications: re-compilation, re-bundling, metadata-removal and re-packaging. In particular, we found that more than 87% (56%, resp.) of the vulnerable Java classes considered occur in Maven Central in re-bundled (re-packaged, resp.) form. We assessed the impact of these modifications on the performance of the open-source vulnerability scanners OWASP Dependency-Check and Eclipse Steady, GitHub Security Alerts, and three commercial scanners. The results show that none of the scanners is able to handle all the types of modifications identified. Finally, we present Achilles, a novel test suite with 2505 test cases that allow replicating the modifications on open-source dependencies. This paper has been accepted to IEEE Transactions on Software Engineering (IEEE TSE) on July 15th, 2021 and is available as early access since August 4th, 2021.
Tue 10 MayDisplayed time zone: Eastern Time (US & Canada) change
11:00 - 12:00 | Software Security 7Journal-First Papers / Technical Track at ICSE room 4-odd hours Chair(s): Diomidis Spinellis Athens University of Economics and Business; Delft University of Technology | ||
11:00 5mTalk | The Case for Adaptive Security Interventions Journal-First Papers Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland) Link to publication DOI Pre-print Media Attached | ||
11:05 5mTalk | Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite Journal-First Papers Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM Link to publication DOI Pre-print Media Attached | ||
11:10 5mTalk | The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper Technical Track David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee DOI Pre-print Media Attached | ||
11:15 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
11:20 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
11:25 5mTalk | Hiding Critical Program Components via Ambiguous Translation Technical Track Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia Pre-print Media Attached | ||
21:00 - 22:00 | Software Security 4Journal-First Papers / Technical Track at ICSE room 2-odd hours Chair(s): Hamid Bagheri University of Nebraska-Lincoln | ||
21:00 5mTalk | Out of Sight, Out of Mind? How Vulnerable Dependencies Affect Open-Source Projects Journal-First Papers Gede Artha Azriadi Prana Singapore Management University, Abhishek Sharma Veracode, Inc., Lwin Khin Shar Singapore Management University, Darius Foo National University of Singapore, Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University Pre-print Media Attached | ||
21:05 5mTalk | Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite Journal-First Papers Andreas Dann Paderborn University, Henrik Plate SAP Security Research, France, Ben Hermann Technical University Dortmund, Serena Elisa Ponta SAP Security Research, France, Eric Bodden University of Paderborn; Fraunhofer IEM Link to publication DOI Pre-print Media Attached | ||
21:10 5mTalk | DeFault: Mutual Information-based Crash Triage for Massive Crashes Technical Track Xing Zhang National University of Defense Technology, Jiongyi Chen National University of Defense Technology, Chao Feng National University of Defense Technology, Ruilin Li National University of Defense Technolog, Wenrui Diao Shandong University, Kehuan Zhang The Chinese University of Hong Kong Pre-print Media Attached | ||
21:15 5mTalk | Practical Automated Detection of Malicious npm Packages Technical Track Pre-print Media Attached | ||
21:20 5mTalk | Exploiting Input Sanitization for Regex Denial of Service Technical Track DOI Pre-print Media Attached | ||
21:25 5mTalk | Hiding Critical Program Components via Ambiguous Translation Technical Track Chijung Jung University of Virginia, Doowon Kim University of Tennessee, Knoxville, An Chen University of Georgia, Weihang Wang University at Buffalo, SUNY, Yunhui Zheng IBM Research, Kyu Hyung Lee University of Georgia, Yonghwi Kwon University of Virginia Pre-print Media Attached | ||