Software composition analysis for vulnerability detection: An empirical study on Java projects

Author

Lida ZHAO
Sen CHEN
Zhengzi XU
Lyuye ZHANG
Jiahui WU
Jun SUN, Singapore Management UniversityFollow
Yang LIU

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

12-2023

Abstract

Software composition analysis (SCA) tools are proposed to detect potential vulnerabilities introduced by open-source software (OSS) imported as third-party libraries (TPL). With the increasing complexity of software functionality, SCA tools may encounter various scenarios during the dependency resolution process, such as diverse formats of artifacts, diverse dependency imports, and diverse dependency specifications. However, there still lacks a comprehensive evaluation of SCA tools for Java that takes into account the above scenarios. This could lead to a confined interpretation of comparisons, improper use of tools, and hinder further improvements of the tools. To fill this gap, we proposed an Evaluation Model which consists of Scan Modes, Scan Methods, and SCA Scope for Maven (SSM), for comprehensive assessments of the dependency resolving capabilities and effectiveness of SCA tools. Based on the Evaluation Model, we first qualitatively examined 6 SCA tools’ capabilities. Next, the accuracy of dependency and vulnerability is quantitatively evaluated with a large-scale dataset (21,130 Maven modules with 73,499 unique dependencies) under two Scan Modes (i.e., build scan and pre-build scan). The results show that most tools do not fully support SSM, which leads to compromised accuracy. For dependency detection, the average F1-score is 0.890 and 0.692 for build and pre-build respectively, and for vulnerability accuracy, the average F1-score is 0.475. However, proper support for SSM reduces dependency detection false positives by 34.24% and false negatives by 6.91%. This further leads to a reduction of 18.28% in false positives and 8.72% in false negatives in vulnerability reports.

Keywords

SCA, Package manager, Vulnerability detection

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, San Francisco, December 5-7

First Page

960

Last Page

972

ISBN

9798400703270

Identifier

10.1145/3611643.3616299

Publisher

ACM

City or Country

New York

Citation

ZHAO, Lida; CHEN, Sen; XU, Zhengzi; ZHANG, Lyuye; WU, Jiahui; SUN, Jun; and LIU, Yang. Software composition analysis for vulnerability detection: An empirical study on Java projects. (2023). ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, San Francisco, December 5-7. 960-972.
Available at: https://ink.library.smu.edu.sg/sis_research/9317

Copyright Owner and License

Authors

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3611643.3616299