Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects
With the increasing disclosure of vulnerabilities in open-source software, software composition analysis (SCA) has been widely applied to reveal third-party libraries and the associated vulnerabilities in software projects. Beyond the revelation, SCA tools adopt various remediation strategies to fix vulnerabilities, the quality of which varies substantially. However, ineffective remediation could induce side effects, such as compilation failures, which impede acceptance by users. According to our studies, existing SCA tools cannot correctly handle the concerns of users regarding the compatibility of remediated projects. To this end, we propose Compatible Remediation of Third-party libraries (CORAL) for Maven projects to fix vulnerabilities without breaking the projects. The evaluation proved that CORAL not only fixed 87.56% of vulnerabilities which outperformed other tools (best 75.32%) and achieved a 98.67% successful compilation rate and a 92.96% successful unit test rate. Furthermore, we found that 78.45% of vulnerabilities in popular Maven projects could be fixed without breaking the compilation.
Fri 19 MayDisplayed time zone: Hobart change
15:45 - 17:15 | Vulnerability testing and patchingTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Cristian Cadar Imperial College London, UK | ||
15:45 15mTalk | Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation Technical Track Jiamou Sun CSIRO's Data61, Zhenchang Xing , Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61, Thong Hoang Data61, CSIRO, Dehai Zhao Australian National University, Australia | ||
16:00 15mTalk | Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects Technical Track Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Zhengzi Xu Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Wu Jiahui Nanyang Technological University, Yang Liu Nanyang Technological University | ||
16:15 15mTalk | Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs Technical Track Davide Corradini University of Verona, Michele Pasqua University of Verona, Mariano Ceccato University of Verona Pre-print | ||
16:30 7mTalk | Patchmatch: A Tool for Locating Patches of Open Source Project Vulnerabilities DEMO - Demonstrations Kedi Shen Zhejiang university city college, Yun Zhang Zhejiang University City College, Lingfeng Bao Zhejiang University, Zhiyuan Wan Zhejiang University, Zhuorong Li Zhejiang university city college, Minghui Wu Zhejiang University City College} | ||
16:37 8mTalk | Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats Journal-First Papers Giorgio Di Tizio University of Trento, Michele Armellini University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam | ||
16:45 7mTalk | SSPCatcher: Learning to Catch Security Patches Journal-First Papers Arthur D. Sawadogo Université du Québec à Montréal, Tegawendé F. Bissyandé SnT, University of Luxembourg, Naouel Moha École de Technologie Supérieure (ETS), Kevin Allix CentraleSupelec Rennes, Jacques Klein University of Luxembourg, Li Li Beihang University, Yves Le Traon University of Luxembourg, Luxembourg | ||
16:52 15mTalk | CoLeFunDa: Explainable Silent Vulnerability Fix Identification Technical Track Jiayuan Zhou Huawei, Michael Pacheco Centre for Software Excellence, Huawei, Jinfu Chen Centre for Software Excellence, Huawei, Canada, Xing Hu Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Ahmed E. Hassan Queen’s University | ||