Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title, in the proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement, 201

Secure Software Development in the Era of Fluid Multi-party Open Software and Services

Pushed by market forces, software development has become fast-paced. As a consequence, modern development projects are assembled from 3rd-party components. Security & privacy assurance techniques once designed for large, controlled updates over months or years, must now cope with small, continuous changes taking place within a week, and happening in sub-components that are controlled by third-party developers one might not even know they existed. In this paper, we aim to provide an overview of the current software security approaches and evaluate their appropriateness in the face of the changed nature in software development. Software security assurance could benefit by switching from a process-based to an artefact-based approach. Further, security evaluation might need to be more incremental, automated and decentralized. We believe this can be achieved by supporting mechanisms for lightweight and scalable screenings that are applicable to the entire population of software components albeit there might be a price to pay.Comment: 7 pages, 1 figure, to be published in Proceedings of International Conference on Software Engineering - New Ideas and Emerging Result

Numerical and experimental analysis of the leaning Tower of Pisa under earthquake

Twenty years have passed from the most recent studies about the dynamic behavior of the leaning Tower of Pisa. Significant changes have occurred in the meantime, the most important ones concerning the soil-structure interaction. From 1999 to 2001, the foundation of the monument was consolidated through under-excavation, and the "Catino" at the basement was rigidly connected to the foundation. Moreover, in light of the recent advances in the field of earthquake engineering, past studies about the Tower must be revised. Therefore, the present research aims at providing new data and results about the structural response of the Tower under earthquake. As regards the experimental assessment of the Tower, the dynamic response of the structure recorded during some earthquakes has been analyzed in the time- and frequency-domain. An Array 2D test has been performed in the Square of Miracles to identify a soil profile suitable for site response analyses, thus allowing the definition of the free-field seismic inputs at the base of the Tower. On the other hand, a synthetic evaluation of the seismic input in terms of response spectra has been done by means of a hybrid approach that combines Probabilistic and Deterministic Seismic Hazard Assessment methods. Furthermore, natural accelerograms have been selected and scaled properly. A finite element model that takes into account the inclination of the structure has been elaborated, and it has been updated taking into account the available experimental results. Finally, current numerical and experimental efforts for enhancing the seismic characterization of the Tower have been illustrated

Damage patterns in the town of Amatrice after August 24th 2016 Central Italy earthquakes

The impact of the two seismic events of August 24th 2016 on the municipality of Amatrice was highly destructive. There were 298 victims, 386 injured, about 5000 homeless, and the historical center of the town suffered a great number of partial and total collapses. The 260 strong motion records obtained for the first event were analyzed and plotted in a shakemap, comparing them with the macroseismic damage surveys made in 305 localities. On the basis of an inspection survey made in September 2016, a map of the damage patterns of the buildings in the historical center was elaborated according to the EMS 98 classification. The damage level resulted very high with more than 60% of the inspected buildings showing partial or total collapse. The elevated level of destruction was mainly caused by the high vulnerability of the masonry buildings, mostly due to specific vulnerability factors such as the poor quality of masonry, the lack of connections between walls and the poor connection between external walls and floors

The challenge of defining upper bounds on earthquake ground motions

Recent studies to assess very long-term seismic hazard in the United States and in Europe have brought the issue of upper limits on earthquake ground motions into the arena of problems requiring attention from the engineering seismological community. Few engineering projects are considered sufficiently critical to warrant the use of annual frequencies of exceedance so low that ground-motion estimates may become unphysical if limiting factors are not considered, but for nuclear waste repositories, for example, the issue is of great importance. The definition of upper bounds on earthquake ground motions also presents an exciting challenge for researchers in the area of seismic hazard assessment. This paper looks briefly at historical work on maximum values of ground-motion amplitudes before illustrating why this is an important issue for hazard assessments at very long return periods. The paper then discusses the factors that control the extreme values of motion, both in terms of generating higher amplitude bedrock motions and of limiting the values of motion at the ground surface. Possible channels of research that could be explored in the quest to define maximum possible ground motions are also discussed

Improving the Italian strong ground motion attenuation relationship: preliminary results with an updated accelerometric data set

Strong ground motion attenuation relationships are fundamental tools for seismic hazard evaluation. In Italy the most widely used attenuation relationship is the Sabetta and Pugliese (1987 and 1996, here afters referred to as SP96) for evaluating peak ground acceleration, peak ground velocity, Arias intensity and pseudovelocity response spectra, of the Italian territory. The equation has been derived using 95 records relative to 17 earthquakes with magnitude ranging from 4.6 to 6.8. The SP96 relation is based on the strongest events since the installation of accelerometric instruments in Italy, dated 1972, such as Friuli 1976, Valnerina 1979, Irpinia 1980, and Lazio-Abruzzo 1984, which is the most recent event. In the time span 1984 – 2007 other moderate seismic events occurred in Italy, namely the East Sicily 1991, Umbria-Marche 1997- 1998, Pollino 1998 and Molise 2002, with moment magnitude > 5, and huge data sets have been obtained due to the installation of many temporary stations and digital instruments. The Umbria-Marche and Molise accelerometric data sets allowed the calculation of regional attenuation relationships that show a considerably different trend compared to the SP96. In this time span a project for an updated Italian accelerometric data base construction has been started with the aim of collecting all the acceleration time histories recorded since 1972 and re-evaluating, updating and improving event parameters, data processing and station geological/geotechnical characteristics. The aim of this research is the implementation of a new weighted regression analysis with the expanded and updated database, including coefficients to model the magnitude-dependent decay rate, the faulting mechanism, the local site effects and the magnitude-dependent variance. In addition, the fit of the SP96 equation to the new accelerometric data set spanning from 1972 to 2004 is evaluated with the aid of different statistic techniques, in order to verify the need of deriving a new attenuation equation

Distinct platelet crosstalk with adaptive and innate immune cells after adenoviral and mRNA vaccination against SARS-CoV-2

Background: Genetic-based COVID-19 vaccines have proved highly effective in reducing the risk of hospitalization and death. As they were first distributed on a large-scale population, adenoviral-based vaccines were linked to a very rare thrombosis with thrombocytopenia syndrome and the interplay between platelets and vaccinations increasingly gained attention. Objective: To study the crosstalk between platelets and the vaccine-induced immune response. Methods: We prospectively enrolled young healthy volunteers who received the mRNA-based vaccine, BNT162b2 (n=15), or the adenovirus-based vaccine, AZD1222 (n=25) and studied their short-term platelet and immune response before and after vaccine injections. In a separate cohort, we retrospectively analysed the effect of aspirin on the antibody response 1 and 5 months after BNT162b2 vaccination. Results: Here we show that a faster antibody response to either vaccine is associated to the formation of platelet aggregates with marginal zone-like B-cells, a subset geared to bridge the temporal gap between innate and adaptive immunity. However, while the mRNA-based vaccine is associated with a more gradual and tolerogenic response that fosters the crosstalk between platelets and adaptive immunity, the adenovirus-based vaccine, the less immunogenic of the two, evokes an antiviral-like response during which platelets are cleared and less likely to cooperate with B-cells. Moreover, subjects taking aspirin (n=56) display lower antibody levels after BNT162b2 vaccination compared to matched individuals. Conclusions: Platelets are a component of the innate immune pathways that promote the B-cell response after vaccination. Future studies on the platelet-immune crosstalk post-immunization will improve safety, efficacy, and strategic administration of next-generation vaccines

Dependability in dynamic, evolving and heterogeneous systems: the CONNECT approach

International audienceThe EU Future and Emerging Technologies (FET) Project Connect aims at dropping the heterogeneity barriers that prevent the eternality of networking systems through a revolutionary approach: to synthesise on-the-y the Connectors via which networked systems communicate. The Connect approach, however, comes at risk from the standpoint of dependability, stressing the need for methods and tools that ensure resilience to faults, errors and malicious attacks of the dynamically Connected system. We are investigating a comprehensive approach, which combines dependability analysis, security enforcement and trust assessment, and is centred around a lightweight adaptive monitoring framework. In this project paper, we overview the research that we are undertaking towards this objective and propose a unifying workflow process that encompasses all the Connect dependability/security/trust concepts and models

Seismic Reassessment of the Leaning Tower of Pisa:Monitoring, Site Response and SSI

The Tower of Pisa survived several strong earthquakes undamaged over the last 650 years, despite its leaning and limited strength and ductility. No credible explanation for its remarkable seismic performance exists to date. A reassessment of this unique case history in light of new seismological, geological, structural, and geotechnical information is reported, aiming to address this question. The following topics are discussed: (1) dynamic structural identification based on recorded earthquake data; (2) geophysical site characterization using a two-dimensional array; (3) seismic hazard and site response analysis considering horizontal and vertical motions; and (4) soil-structure interaction (SSI) analysis calibrated using lab and field data. A substantial shift in natural period, from about 0.35 s to over 1 s (a threefold increase, the largest known for a building of that height) caused by SSI, a wave parameter (1∕σ) of about 0.3, and a minor effect of vertical ground motion are identified and may explain the lack of earthquake damage on the Tower. Recommendations for future research, including the need to establish a seismic bedrock deeper than 500 m, are provided