A Screening Test for Disclosed Vulnerabilities in FOSS Components

By Stanislav Dashevskyi, Achim D. Brucker, and Fabio Massacci.

Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities—in case of widely discussed vulnerabilities such as Heartbleed, within hours.

To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes.

Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all.

Keywords:
Security maintenance; Security vulnerabilities; Free and Open Source Software

Supplementary material:
Software Prototype  ]

Please cite this work as follows:
S. Dashevskyi, A. D. Brucker, and F. Massacci, “A screening test for disclosed vulnerabilities in FOSS components,” IEEE Trans. Software Eng., vol. 45, no. 10, pp. 945–966, Oct. 2019, doi: 10.1109/TSE.2018.2816033. Author copy: https://logicalhacking.com/publications/dashevskyi.ea-vulnerability-screening-2018/

BibTeX
@Article{ dashevskyi.ea:vulnerability-screening:2018,
  author          = {Stanislav Dashevskyi and Achim D. Brucker and Fabio
                     Massacci},
  title           = {A Screening Test for Disclosed Vulnerabilities in {FOSS}
                     Components},
  journal         = {{IEEE} Trans. Software Eng.},
  volume          = {45},
  number          = {10},
  month           = {oct},
  pages           = {945--966},
  doi             = {10.1109/TSE.2018.2816033},
  year            = {2019},
  abstract        = {Free and Open Source Software (FOSS) components are
                     ubiquitous in both proprietary and open source applications.
                     Each time a vulnerability is disclosed in a FOSS component, a
                     software vendor using this an application must decide whether
                     to update the FOSS component, patch the application itself, or
                     just do nothing as the vulnerability is not applicable to the
                     older version of the FOSS component used. This is particularly
                     challenging for enterprise software vendors that consume
                     thousands of FOSS components and offer more than a decade of
                     support and security fixes for their applications. Moreover,
                     customers expect vendors to react quickly on disclosed
                     vulnerabilities---in case of widely discussed vulnerabilities
                     such as Heartbleed, within hours.
                     
                     To address this challenge, we propose a screening test: a
                     novel, automatic method based on thin slicing, for estimating
                     quickly whether a given vulnerability is present in a consumed
                     FOSS component by looking across its entire repository. We
                     show that our screening test scales to large open source
                     projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that
                     are routinely used by large software vendors, scanning
                     thousands of commits and hundred thousands lines of code in a
                     matter of minutes.
                     
                     Further, we provide insights on the empirical probability
                     that, on the above mentioned projects, a potentially
                     vulnerable component might not actually be vulnerable after
                     all.},
  keywords        = {Security maintenance; Security vulnerabilities; Free and Open
                     Source Software},
  language        = {USenglish},
  supplementary01 = {https://zenodo.org/record/3238361},
  supplabel01     = {Software Prototype},
  areas           = {security, software},
  note            = {Author copy: \url{https://logicalhacking.com/publications/dashevskyi.ea-vulnerability-screening-2018/}},
  pdf             = {https://logicalhacking.com/publications/dashevskyi.ea-vulnerability-screening-2018/dashevskyi.ea-vulnerability-screening-2018.pdf},
}