DeepAI AI Chat
Log In Sign Up

SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages

by   Bodin Chinthanet, et al.
Nara Institute of Science and Technology
Wakayama University

It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3 speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.


page 1

page 2


A Comparative Study of Vulnerability Reporting by Software Composition Analysis Tools

Background: Modern software uses many third-party libraries and framewor...

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Reusing software libraries is a pillar of modern software engineering. I...

CoinWatch: A Clone-Based Approach For Detecting Vulnerabilities in Cryptocurrencies

Cryptocurrencies have become very popular in recent years. Thousands of ...

XSS Vulnerabilities in Cloud-Application Add-Ons

Cloud-application add-ons are microservices that extend the functionalit...

Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages

Vulnerabilities in open source packages can be a security risk for the c...

Security Review of Ethereum Beacon Clients

The beacon chain is the backbone of the Ethereum's evolution towards a p...