Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software

机译：超越元数据：在开源软件中，以代码为中心的基于和使用的已知漏洞的分析

获取原文

页面导航

摘要
著录项
相似文献
相关主题

摘要

The use of open-source software (OSS) is ever-increasing, and so is the number of open-source vulnerabilities being discovered and publicly disclosed. The gains obtained from the reuse of community-developed libraries may be offset by the cost of detecting, assessing, and mitigating their vulnerabilities in a timely manner. In this paper we present a novel method to detect, assess and mitigate OSS vulnerabilities that improves on state-of-the-art approaches, which commonly depend on metadata to identify vulnerable OSS dependencies. Our solution instead is code-centric and combines static and dynamic analysis to determine the reachability of the vulnerable portion of libraries used (directly or transitively) by an application. Taking this usage into account, our approach then supports developers in choosing among the existing non-vulnerable library versions. Vulas, the tool implementing our code-centric and usage-based approach, is officially recommended by SAP to scan its Java software, and has been successfully used to perform more than 250000 scans of about 500 applications since December 2016. We report on our experience and on the lessons we learned when maturing the tool from a research prototype to an industrial-grade solution.

机译：使用开源软件（OSS）是不断增长的，所以正在发现和公开披露的开源漏洞的数量也是如此。从社区开发的库的重用获得的收益可能会通过及时检测，评估和减轻其漏洞的成本来抵消。在本文中，我们提出了一种新的方法来检测，评估和缓解OSS漏洞，这些方法可以提高最先进的方法，这通常取决于元数据来识别易受攻击的OSS依赖性。我们的解决方案是以代码为中心，并结合静态和动态分析，以确定应用程序（直接或过境）的易受攻击部分的可达性。考虑此使用情况，我们的方法将支持开发人员在现有的非易受攻击库版本中选择。通过SAP正式推荐实现基于代码和基于使用的方法的工具，以扫描其Java软件，以来已成功用于自2016年12月以来，已成功用于执行大约500个应用程序的250000多个扫描。我们报告我们的经验在从研究原型到工业级解决方案时，我们学到了教训。

著录项

来源
《IEEE International Conference on Software Maintenance and Evolution》|2018年|xxii 764 p. :|共12页
会议地点
作者
Serena Elisa Ponta; Henrik Plate; Antonino Sabetta;
展开▼
作者单位

展开▼
会议组织
原文格式 PDF
正文语种
中图分类 TP3-532;
关键词
Libraries; Tools; Static analysis; Silicon; Metadata; Open source software;

机译：图书馆;工具;静态分析;硅;元数据;开源软件;

相似文献

外文文献
中文文献
专利

1. A Pattern-Based Software Testing Framework for Exploitability Evaluation of Metadata Corruption Vulnerabilities [J] . Fenglei Deng, Jian Wang, Bin Zhang, Scientific programming . 2020,第2a3期

机译：基于模式的软件测试框架，用于元数据损坏漏洞的可利用性评估
2. Analysis of function-call graphs of open-source software systems using complex network analysis [J] . Journal of international management . 2020,第2期

机译：使用复杂网络分析分析开源软件系统的功能呼叫图
3. Graphical Model Based Multivariate Analysis (GAMMA): An Open-Source, Cross-Platform Neuroimaging Data Analysis Software Package [J] . Rong Chen, Edward H. Herskovits Neuroinformatics . 2012,第2期

机译：基于图形模型的多元分析（GAMMA）：一种开源，跨平台的神经影像数据分析软件包
4. Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software [C] . Serena Elisa Ponta, Henrik Plate, Antonino Sabetta IEEE International Conference on Software Maintenance and Evolution . 2018

机译：超越元数据：开源软件中已知漏洞的以代码为中心和基于使用情况的分析
5. A requirements-based exploration of open-source software development projects -- Towards a natural language processing software analysis framework. [D] . Vlas, Radu Eduard. 2012

机译：基于需求的开源软件开发项目探索-走向自然语言处理软件分析框架。
6. Graphical model based multivariate analysis (GAMMA): an open-source cross-platform neuroimaging data analysis software package [O] . Rong Chen, Edward H Herskovits -1

机译：基于多变量分析（Gamma）图形模型：一个开源跨平台的神经成像的数据分析软件包
7. Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software [O] . Serena Elisa Ponta, Henrik Plate, Antonino Sabetta 2018

机译：超越元数据：在开源软件中，以代码为中心的基于和使用的已知漏洞的分析

Beyond Metadata: Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software

摘要

著录项

相似文献

相关主题

期刊订阅