Impact assessment for vulnerabilities in open-source software libraries
Henrik Plate, Serena Elisa Ponta, Antonino Sabetta
TL;DR
The paper tackles the problem of determining whether a disclosed vulnerability in an open-source library affects a particular application. It introduces a pragmatic, language- and vulnerability-type-independent framework that compares the security patch change-list $C_{ij}$ with the application's execution traces $T_a$, using a central Assessment Engine along with Patch Analyzer, Runtime Tracer, and Source Code Analyzer to deliver evidence-based assessments. A Java proof-of-concept demonstrates the workflow, including patch retrieval via VCS, code analysis with Maven/ANTLR, and instrumentation with Javassist, validated through a CVE-2014-0050 case study where the intersection $C_{ij}\cap T_a$ indicated exploitable risk and required careful version-resolution via Maven/CPE mappings. The work also discusses data integration challenges and the limitations of coverage and false positives/negatives, and suggests integrating vulnerability assessment into CI systems for continuous monitoring. Overall, the approach provides timely, concrete signals to guide urgent patch decisions and is extensible across languages and vulnerability types.
Abstract
Software applications integrate more and more open-source software (OSS) to benefit from code reuse. As a drawback, each vulnerability discovered in bundled OSS potentially affects the application. Upon the disclosure of every new vulnerability, the application vendor has to decide whether it is exploitable in his particular usage context, hence, whether users require an urgent application patch containing a non-vulnerable version of the OSS. Current decision making is mostly based on high-level vulnerability descriptions and expert knowledge, thus, effort intense and error prone. This paper proposes a pragmatic approach to facilitate the impact assessment, describes a proof-of-concept for Java, and examines one example vulnerability as case study. The approach is independent from specific kinds of vulnerabilities or programming languages and can deliver immediate results.