Empirical comparison between vulnerability detection tools

Due to an increase in open source libraries usage, organizations are concern about the security risk of using open source libraries. Software Composition Analysis tool is recommended as it is an automated tool that notifies the developers when vulnerabilities in libraries are detected. However, it i...

Full description

Saved in:
Bibliographic Details
Main Author: Lee, Kian Lon
Other Authors: Liu Yang
Format: Final Year Project
Language:English
Published: 2019
Subjects:
Online Access:http://hdl.handle.net/10356/76990
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
Description
Summary:Due to an increase in open source libraries usage, organizations are concern about the security risk of using open source libraries. Software Composition Analysis tool is recommended as it is an automated tool that notifies the developers when vulnerabilities in libraries are detected. However, it is difficult for developers to choose a tool that is the most suitable for their project. Each tool uses a different database and has a different approach to detect vulnerabilities. Often, developers realize the tool is not applicable for the project after using it for quite some time. This project aims to assess and compare the accuracy of Software Composition Analysis tools in different configuration environment. Project with different configuration will be used and the result will be stored. The result will be compared to see which tool the best for each project is. This project will also try to identify and understand why false positive and negative occurs.