31 research outputs found
Vulnerable Open Source Dependencies: Counting Those That Matter
BACKGROUND: Vulnerable dependencies are a known problem in today's
open-source software ecosystems because OSS libraries are highly interconnected
and developers do not always update their dependencies. AIMS: In this paper we
aim to present a precise methodology, that combines the code-based analysis of
patches with information on build, test, update dates, and group extracted from
the very code repository, and therefore, caters to the needs of industrial
practice for correct allocation of development and audit resources. METHOD: To
understand the industrial impact of the proposed methodology, we considered the
200 most popular OSS Java libraries used by SAP in its own software. Our
analysis included 10905 distinct GAVs (group, artifact, version) when
considering all the library versions. RESULTS: We found that about 20% of the
dependencies affected by a known vulnerability are not deployed, and therefore,
they do not represent a danger to the analyzed library because they cannot be
exploited in practice. Developers of the analyzed libraries are able to fix
(and actually responsible for) 82% of the deployed vulnerable dependencies. The
vast majority (81%) of vulnerable dependencies may be fixed by simply updating
to a new version, while 1% of the vulnerable dependencies in our sample are
halted, and therefore, potentially require a costly mitigation strategy.
CONCLUSIONS: Our case study shows that the correct counting allows software
development companies to receive actionable information about their library
dependencies, and therefore, correctly allocate costly development and audit
resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title,
in the proceedings of the 12th International Symposium on Empirical Software
Engineering and Measurement, 201
The Life and Death of Software Ecosystems
Software ecosystems have gained a lot of attention in recent times. Industry
and developers gather around technologies and collaborate to their advancement;
when the boundaries of such an effort go beyond certain amount of projects, we
are witnessing the appearance of Free/Libre and Open Source Software (FLOSS)
ecosystems.
In this chapter, we explore two aspects that contribute to a healthy
ecosystem, related to the attraction (and detraction) and the death of
ecosystems. To function and survive, ecosystems need to attract people, get
them on-boarded and retain them. In Section One we explore possibilities with
provocative research questions for attracting and detracting contributors (and
users): the lifeblood of FLOSS ecosystems. Then in the Section Two, we focus on
the death of systems, exploring some presumed to be dead systems and their
state in the afterlife.Comment: Book Chapte
Call Graph Evolution Analytics over a Version Series of an Evolving Software System
Call Graph evolution analytics can aid a software engineer when maintaining
or evolving a software system. This paper proposes Call Graph Evolution
Analytics to extract information from an evolving call graph ECG = CG_1,
CG_2,... CG_N for their version series VS = V_1, V_2, ... V_N of an evolving
software system. This is done using Call Graph Evolution Rules (CGERs) and Call
Graph Evolution Subgraphs (CGESs). Similar to association rule mining, the
CGERs are used to capture co-occurrences of dependencies in the system. Like
subgraph patterns in a call graph, the CGESs are used to capture evolution of
dependency patterns in evolving call graphs. Call graph analytics on the
evolution in these patterns can identify potentially affected dependencies (or
procedure calls) that need attention. The experiments are done on the evolving
call graphs of 10 large evolving systems to support dependency evolution
management. We also consider results from a detailed study for evolving call
graphs of Maven-Core's version series
DEVELOPMENT STRATEGY AND MANAGEMENT OF AI-BASED VULNERABILITY DETECTION APPLICATIONS IN ENTERPRISE SOFTWARE ENVIRONMENT
Industries are now struggling with high level of security-risk vulnerabilities in their software environment which mainly originate from open-source dependencies. Industries’ percentage of open source in codebases is about 54% whereas ones with high security risks is about 30% (Synopsys 2018). While there are existing solutions for application security analysis, these typically only detect a limited subset of possible errors based on pre-defined rules. With the availability of open-source vulnerability resources, it is now possible to use data-driven techniques to discover vulnerabilities. Although there are a few AI-based solutions available, but there are some associated challenges: 1) use of artificial intelligence for application security (AppSec) towards vulnerability detection has been very limited and definitely not industry oriented, 2) the strategy to develop, use and manage such AppSec products in enterprises have not been investigated; therefore cybersecurity firms do not use even limited existing solutions. In this study, we aim to address these challenges with some strategies to develop such AppSec, their use management and economic values in enterprise environment