Tracing Vulnerable Code Lineage

03/23/2021
by   David Reid, et al.
0

This paper presents results from the MSR 2021 Hackathon. Our team investigates files/projects that contain known security vulnerabilities and how widespread they are throughout repositories in open source software. These security vulnerabilities can potentially be propagated through code reuse even when the vulnerability is fixed in different versions of the code. We utilize the World of Code infrastructure to discover file-level duplication of code from a nearly complete collection of open source software. This paper describes a method and set of tools to find all open source projects that use known vulnerable files and any previous revisions of those files.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

08/13/2021

VulnEx: Exploring Open-Source Software Vulnerabilities in Large Development Organizations to Understand Risk Exposure

The prevalent usage of open-source software (OSS) has led to an increase...
05/07/2021

Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers

The sources of reliable, code-level information about vulnerabilities th...
06/15/2018

Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software

The use of open-source software (OSS) is ever-increasing, and so is the ...
06/01/2021

On using distributed representations of source code for the detection of C security vulnerabilities

This paper presents an evaluation of the code representation model Code2...
08/29/2018

Timelines for In-Code Discovery of Zero-Day Vulnerabilities and Supply-Chain Attacks

Zero-day vulnerabilities can be accidentally or maliciously placed in co...
12/03/2019

The most frequent programming mistakes that cause software vulnerabilities

All computer programs have flaws, some of which can be exploited to gain...
11/15/2019

Exploiting Token and Path-based Representations of Code for Identifying Security-Relevant Commits

Public vulnerability databases such as CVE and NVD account for only 60 s...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.