DeepAI AI Chat
Log In Sign Up

VulnEx: Exploring Open-Source Software Vulnerabilities in Large Development Organizations to Understand Risk Exposure

by   Frederik L. Dennig, et al.
University of Konstanz

The prevalent usage of open-source software (OSS) has led to an increased interest in resolving potential third-party security risks by fixing common vulnerabilities and exposures (CVEs). However, even with automated code analysis tools in place, security analysts often lack the means to obtain an overview of vulnerable OSS reuse in large software organizations. In this design study, we propose VulnEx (Vulnerability Explorer), a tool to audit entire software development organizations. We introduce three complementary table-based representations to identify and assess vulnerability exposures due to OSS, which we designed in collaboration with security analysts. The presented tool allows examining problematic projects and applications (repositories), third-party libraries, and vulnerabilities across a software organization. We show the applicability of our tool through a use case and preliminary expert feedback.


Tracing Vulnerable Code Lineage

This paper presents results from the MSR 2021 Hackathon. Our team invest...

On the Use of Refactoring in Security Vulnerability Fixes: An Exploratory Study on Maven Libraries

Third-party library dependencies are commonplace in today's software dev...

PREPRINT: Can the OpenSSF Scorecard be used to measure the security posture of npm and PyPI?

The OpenSSF Scorecard project is an automated tool to monitor the securi...

Machine Learning Containers are Bloated and Vulnerable

Today's software is bloated leading to significant resource wastage. Thi...

On the Relationship between Software Complexity and Security

This work aims at discussing the complexity aspect of software while dem...

Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software

The use of open-source software (OSS) is ever-increasing, and so is the ...

M-STAR: A Modular, Evidence-based Software Trustworthiness Framework

Despite years of intensive research in the field of software vulnerabili...