Software composition analysis for vulnerability detection: An empirical study on Java projects
Software composition analysis (SCA) tools are proposed to detect potential vulnerabilities introduced by open-source software (OSS) imported as third-party libraries (TPL). With the increasing complexity of software functionality, SCA tools may encounter various scenarios during the dependency resol...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2023
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/9317 https://ink.library.smu.edu.sg/context/sis_research/article/10317/viewcontent/fse2023_sca.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-10317 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-103172024-09-26T07:56:15Z Software composition analysis for vulnerability detection: An empirical study on Java projects ZHAO, Lida CHEN, Sen XU, Zhengzi ZHANG, Lyuye WU, Jiahui SUN, Jun LIU, Yang Software composition analysis (SCA) tools are proposed to detect potential vulnerabilities introduced by open-source software (OSS) imported as third-party libraries (TPL). With the increasing complexity of software functionality, SCA tools may encounter various scenarios during the dependency resolution process, such as diverse formats of artifacts, diverse dependency imports, and diverse dependency specifications. However, there still lacks a comprehensive evaluation of SCA tools for Java that takes into account the above scenarios. This could lead to a confined interpretation of comparisons, improper use of tools, and hinder further improvements of the tools. To fill this gap, we proposed an Evaluation Model which consists of Scan Modes, Scan Methods, and SCA Scope for Maven (SSM), for comprehensive assessments of the dependency resolving capabilities and effectiveness of SCA tools. Based on the Evaluation Model, we first qualitatively examined 6 SCA tools’ capabilities. Next, the accuracy of dependency and vulnerability is quantitatively evaluated with a large-scale dataset (21,130 Maven modules with 73,499 unique dependencies) under two Scan Modes (i.e., build scan and pre-build scan). The results show that most tools do not fully support SSM, which leads to compromised accuracy. For dependency detection, the average F1-score is 0.890 and 0.692 for build and pre-build respectively, and for vulnerability accuracy, the average F1-score is 0.475. However, proper support for SSM reduces dependency detection false positives by 34.24% and false negatives by 6.91%. This further leads to a reduction of 18.28% in false positives and 8.72% in false negatives in vulnerability reports. 2023-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/9317 info:doi/10.1145/3611643.3616299 https://ink.library.smu.edu.sg/context/sis_research/article/10317/viewcontent/fse2023_sca.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University SCA Package manager Vulnerability detection Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
SCA Package manager Vulnerability detection Software Engineering |
| spellingShingle |
SCA Package manager Vulnerability detection Software Engineering ZHAO, Lida CHEN, Sen XU, Zhengzi ZHANG, Lyuye WU, Jiahui SUN, Jun LIU, Yang Software composition analysis for vulnerability detection: An empirical study on Java projects |
| description |
Software composition analysis (SCA) tools are proposed to detect potential vulnerabilities introduced by open-source software (OSS) imported as third-party libraries (TPL). With the increasing complexity of software functionality, SCA tools may encounter various scenarios during the dependency resolution process, such as diverse formats of artifacts, diverse dependency imports, and diverse dependency specifications. However, there still lacks a comprehensive evaluation of SCA tools for Java that takes into account the above scenarios. This could lead to a confined interpretation of comparisons, improper use of tools, and hinder further improvements of the tools. To fill this gap, we proposed an Evaluation Model which consists of Scan Modes, Scan Methods, and SCA Scope for Maven (SSM), for comprehensive assessments of the dependency resolving capabilities and effectiveness of SCA tools. Based on the Evaluation Model, we first qualitatively examined 6 SCA tools’ capabilities. Next, the accuracy of dependency and vulnerability is quantitatively evaluated with a large-scale dataset (21,130 Maven modules with 73,499 unique dependencies) under two Scan Modes (i.e., build scan and pre-build scan). The results show that most tools do not fully support SSM, which leads to compromised accuracy. For dependency detection, the average F1-score is 0.890 and 0.692 for build and pre-build respectively, and for vulnerability accuracy, the average F1-score is 0.475. However, proper support for SSM reduces dependency detection false positives by 34.24% and false negatives by 6.91%. This further leads to a reduction of 18.28% in false positives and 8.72% in false negatives in vulnerability reports. |
| format |
text |
| author |
ZHAO, Lida CHEN, Sen XU, Zhengzi ZHANG, Lyuye WU, Jiahui SUN, Jun LIU, Yang |
| author_facet |
ZHAO, Lida CHEN, Sen XU, Zhengzi ZHANG, Lyuye WU, Jiahui SUN, Jun LIU, Yang |
| author_sort |
ZHAO, Lida |
| title |
Software composition analysis for vulnerability detection: An empirical study on Java projects |
| title_short |
Software composition analysis for vulnerability detection: An empirical study on Java projects |
| title_full |
Software composition analysis for vulnerability detection: An empirical study on Java projects |
| title_fullStr |
Software composition analysis for vulnerability detection: An empirical study on Java projects |
| title_full_unstemmed |
Software composition analysis for vulnerability detection: An empirical study on Java projects |
| title_sort |
software composition analysis for vulnerability detection: an empirical study on java projects |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2023 |
| url |
https://ink.library.smu.edu.sg/sis_research/9317 https://ink.library.smu.edu.sg/context/sis_research/article/10317/viewcontent/fse2023_sca.pdf |
| _version_ |
1814047907954819072 |