DeepAI AI Chat
Log In Sign Up

The Dynamics of Software Composition Analysis

by   Darius Foo, et al.

Developers today use significant amounts of open source code, surfacing the need for ways to automatically audit and upgrade library dependencies and leading to the emergence of Software Composition Analysis (SCA). SCA products are concerned with three tasks: discovering dependencies, checking the reachability of vulnerable code for false positive elimination, and automated remediation. The latter two tasks rely on call graphs of library and application code to check whether vulnerable methods found in the open source components are called by applications. However, statically-constructed call graphs introduce both false positives and false negatives on real-world projects. In this paper, we develop a novel, modular means of combining statically- and dynamically-constructed call graphs via instrumentation to improve the performance of false positive elimination. Our experiments indicate significant performance improvements, but that instrumentation-based call graphs are less readily applicable in practice.


page 1

page 2

page 3

page 4


Refactoring Graphs: Assessing Refactoring over Time

Refactoring is an essential activity during software evolution. Frequent...

Towards Reliable and Scalable Linux Kernel CVE Attribution in Automated Static Firmware Analyses

In vulnerability assessments, software component-based CVE attribution i...

Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-...

Furthering a Comprehensive SETI Bibliography

In 2019, Reyes Wright used the NASA Astrophysics Data System (ADS) t...

Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software

The use of open-source software (OSS) is ever-increasing, and so is the ...

Sequential Multivariate Change Detection with Calibrated and Memoryless False Detection Rates

Responding appropriately to the detections of a sequential change detect...

TriSig: Assessing the statistical significance of triclusters

Tensor data analysis allows researchers to uncover novel patterns and re...