Adversarial Analysis of Software Composition Analysis Tools
Pages 161 - 182
Abstract
With the widespread use of third-party code in software projects, Software Composition Analysis (SCA) tools emerged in order to help developers and security specialists automate the process of vulnerability detection within dependencies. Among SCA tools, the most common dependency detection techniques are metadata-based. However, there has not been a comprehensive evaluation of metadata-reliant SCA tools in regard to their resilience against metadata manipulations. To bridge this gap, we conducted a thorough evaluation of 5 state-of-the-art metadata-reliant SCA tools across 11 attack scenarios, each crafted to demonstrate a particular manifest feature, bundling, or dependency modification. Our findings reveal a concerning lack of resilience against metadata manipulations among these tools, with subtle modifications easily influencing their detection capabilities. Our findings not only uncover the limitations of existing metadata-based approaches but also offer valuable insights for SCA tool researchers, developers, and users.
References
[1]
Alfadel, M., Costa, D.E., Shihab, E., Adams, B.: On the discoverability of npm vulnerabilities in node.js projects. ACM Trans. Softw. Eng. Methodol. 32(4), 1–27 (2023)
[2]
Alqahtani SS, Eghan EE, and Rilling J Tracing known security vulnerabilities in software repositories - a semantic web enabled modeling approach Sci. Comput. Program. 2016 121 153-175
[3]
Blackburn SM et al. The dacapo benchmarks: java benchmarking development and analysis SIGPLAN Not. 2006 41 10 169-190
[4]
Chen, Z., et al.: Exploiting library vulnerability via migration based automating test generation. In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, ICSE 2024, Lisbon, Portugal, April 2024
[5]
Dann A, Plate H, Hermann B, Ponta SE, and Bodden E Identifying challenges for OSS vulnerability scanners - a study & test suite IEEE Trans. Software Eng. 2022 48 9 3613-3625
[6]
Dietrich, J., Rasheed, S., Jordan, A.: On the security blind spots of software composition analysis (2023)
[7]
Duan, R., Bijlani, A., Xu, M., Kim, T., Lee, W.: Identifying open-source license violation and 1-day security risk at large scale. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2169–2185. Dallas, Texas, USA, October 2017
[8]
Foo, D., Chua, H., Yeo, J., Ang, M.Y., Sharma, A.: Efficient static checking of library updates. In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 791-796. ESEC/FSE 2018, Lake Buena Vista, FL, USA, October 2018
[9]
Foo, D., Yeo, J., Xiao, H., Sharma, A.: The dynamics of software composition analysis (2019)
[10]
Germán Márquez, A., Varela-Vaca, A.J., Gómez López, M.T., Galindo, J.A., Benavides, D.: Vulnerability impact analysis in software project dependencies based on satisfiability modulo theories (SMT). Comput. Secur. 139(C), 103669 (2024)
[11]
Iannone, E., Nucci, D.D., Sabetta, A., De Lucia, A.: Toward automated exploit generation for known vulnerabilities in open-source libraries. In: 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC), pp. 396–400. Virtual, Spain, May 2021.
[12]
Imtiaz, N., Thorn, S., Williams, L.: A comparative study of vulnerability reporting by software composition analysis tools. In: Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), ESEM ’21, Virtual, Italy, October 2021
[13]
Jiang, L., et al.: Binaryai: binary software composition analysis via intelligent binary source code matching. In: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, ICSE 2024, Lisbon, Portugal, April 2024
[14]
JRebel: 2021 java developer productivity report. https://www.jrebel.com/resources/java-developer-productivity-report-2021 (2021)
[15]
Kalaiselvi, R., Ravisankar, S.: M, V., Ravindran, D.: Enhancing the container image scanning tool - grype. In: 2023 2nd International Conference on Advancements in Electrical. Electronics, Communication, Computing and Automation (ICAECA), pp. 1–6. Coimbatore, India (2023)
[16]
Kang, H.J., Nguyen, T.G., Le, B., Păsăreanu, C.S., Lo, D.: Test mimicry to assess the exploitability of library vulnerabilities. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 276-288. ISSTA 2022, Virtual, South Korea, July 2022
[17]
Li, Q., Song, J., Tan, D., Wang, H., Liu, J.: Pdgraph: a large-scale empirical study on project dependency of security vulnerabilities. In: 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 161–173. Virtual, Taiwan, June 2021
[18]
Lightner, N.: Introducing synopsys AI code analysis API. https://www.synopsys.com/blogs/software-security/synopsys-ai-code-analysis-service.html#3 (2023)
[19]
Mburano, B., Si, W.: Evaluation of web vulnerability scanners based on owasp benchmark. In: 2018 26th International Conference on Systems Engineering (ICSEng), pp. 1–6. Sydney, NSW, Australia, December 2018
[20]
OWASP: OWASP Top 10 application security risks - 2017. https://owasp.org/www-project-top-ten/2017/Top_10 (2017)
[21]
Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vulnerable open source dependencies: counting those that matter. In: Proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement (ESEM) (2018)
[22]
Pashchenko, I., Vu, D.L., Massacci, F.: A qualitative study of dependency management and its security implications. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS 2020, pp. 1513–1531. Virtual, USA, November 2020
[23]
Pereira, D., Molloy, C., Acharya, S., Ding, S.H.H.: Automating sbom generation with zero-shot semantic similarity (2024)
[24]
Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411–420. Bremen, Germany, September 2015
[25]
Ponta, S., Plate, H., Sabetta, A.: Beyond metadata: code-centric and usage-based analysis of known vulnerabilities in open-source software. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 449–460. Madrid, Spain, September 2018
[26]
Ponta SE, Plate H, and Sabetta A Detection, assessment and mitigation of vulnerabilities in open source dependencies Empirical Softw. Engg. 2020 25 5 3175-3215
[27]
Sabetta, A., Bezzi, M.: A practical approach to the automatic classification of security-relevant commits. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 579–582. Los Alamitos, CA, USA, September 2018
[28]
SourceClear: Evaluation framework for dependency analysis. https://github.com/srcclr/efda (2020)
[29]
Tran, N.K., Pallewatta, S., Babar, M.A.: Toward a reference architecture for software supply chain metadata management (2023)
[30]
Wagner, A., Sametinger, J.: Using the juliet test suite to compare static security scanners. In: Proceedings of the 11th International Joint Conference on E-Business and Telecommunications - Volume 4, p. 244-252. ICETE 2014, Vienna, Austria, August 2014
[31]
Wu, Y., Yu, Z., Wen, M., Li, Q., Zou, D., Jin, H.: Understanding the threats of upstream vulnerabilities to downstream projects in the Maven ecosystem. In: Proceedings of the 45th International Conference on Software Engineering, ICSE 2023, pp. 1046-1058. Melbourne, Victoria, Australia (2023)
[32]
Zhao, L., et al.: Software composition analysis for vulnerability detection: An empirical study on java projects. In: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE 2023), pp. 960–972. San Francisco, CA, USA, December 2023
Index Terms
- Adversarial Analysis of Software Composition Analysis Tools
Index terms have been assigned to the content through auto-classification.
Recommendations
A comparative study of vulnerability reporting by software composition analysis tools
ESEM '21: Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)Background: Modern software uses many third-party libraries and frameworks as dependencies. Known vulnerabilities in these dependencies are a potential security risk. Software composition analysis (SCA) tools, therefore, are being increasingly adopted ...
Evaluation of Free and Open Source Tools for Automated Software Composition Analysis
CSCS '23: Proceedings of the 7th ACM Computer Science in Cars SymposiumVulnerable or malicious third-party components introduce vulnerabilities into the software supply chain. Software Composition Analysis (SCA) is a method to identify direct and transitive dependencies in software projects and assess their security risks ...
On the Security Blind Spots of Software Composition Analysis
SCORED '24: Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem DefensesModern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses, and the propagation of bugs, the study ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Oct 2024
350 pages
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 24 October 2024
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Dec 2024