The Dynamics of Software Composition Analysis

09/03/2019
by   Darius Foo, et al.
0

Developers today use significant amounts of open source code, surfacing the need for ways to automatically audit and upgrade library dependencies and leading to the emergence of Software Composition Analysis (SCA). SCA products are concerned with three tasks: discovering dependencies, checking the reachability of vulnerable code for false positive elimination, and automated remediation. The latter two tasks rely on call graphs of library and application code to check whether vulnerable methods found in the open source components are called by applications. However, statically-constructed call graphs introduce both false positives and false negatives on real-world projects. In this paper, we develop a novel, modular means of combining statically- and dynamically-constructed call graphs via instrumentation to improve the performance of false positive elimination. Our experiments indicate significant performance improvements, but that instrumentation-based call graphs are less readily applicable in practice.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
03/10/2020

Refactoring Graphs: Assessing Refactoring over Time

Refactoring is an essential activity during software evolution. Frequent...
research
09/12/2022

Towards Reliable and Scalable Linux Kernel CVE Attribution in Automated Static Firmware Analyses

In vulnerability assessments, software component-based CVE attribution i...
research
02/02/2018

Best Practices for a Future Open Code Policy: Experiences and Vision of the Astrophysics Source Code Library

We are members of the Astrophysics Source Code Library's Advisory Commit...
research
07/06/2021

Furthering a Comprehensive SETI Bibliography

In 2019, Reyes Wright used the NASA Astrophysics Data System (ADS) t...
research
08/29/2018

Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-...
research
08/28/2023

Using ChatGPT as a Static Application Security Testing Tool

In recent years, artificial intelligence has had a conspicuous growth in...
research
06/01/2023

TriSig: Assessing the statistical significance of triclusters

Tensor data analysis allows researchers to uncover novel patterns and re...

Please sign up or login with your details

Forgot password? Click here to reset