Detection, assessment and mitigation of vulnerabilities in open source dependencies

• Published in: Empirical software engineering : an international journal Vol. 25; no. 5; pp. 3175 - 3215
• Main Authors: Ponta, Serena Elisa, Plate, Henrik, Sabetta, Antonino
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.09.2020; Springer Nature B.V
• Subjects: Compilers; Computer Science; Empirical analysis; Interpreters; Libraries; Open source software; Programming Languages; Quality; Software; Software Engineering/Programming and Operating Systems; Software Maintenance and Evolution (ICSME); Usage-based update support; Code-centric vulnerability analysis; Publicly known vulnerabilities; Open source software; Combination of static and dynamic analysis
• ISSN: 1382-3256; 1573-7616
• DOI: 10.1007/s10664-020-09830-x

Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. Eclipse Steady, the open source implementation of our code-centric and usage-based approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate Eclipse Steady, we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check (OWASP DC), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings reported only by one of the two tools revealed that all Steady findings are true positives, while 88.8% of the findings of OWASP DC for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of OWASP DC findings are true positives.