Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. Eclipse Steady , the open source implementation of our code-centric and usage-based approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate Eclipse Steady , we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check ( OWASP DC ), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings reported only by one of the two tools revealed that all Steady findings are true positives, while 88.8% of the findings of OWASP DC for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of OWASP DC findings are true positives.

中文翻译：

---

检测、评估和缓解开源依赖项中的漏洞

开源软件（OSS）库在业界被广泛使用，以加快软件产品的开发。但是，这些库受到越来越多公开披露的漏洞的影响。因此，对于应用程序开发人员而言，及时检测对易受攻击的库的依赖关系、准确评估其影响并降低任何潜在风险至关重要。本文提出了一种检测、评估和缓解 OSS 漏洞的新方法。与依赖元数据来识别易受攻击的 OSS 依赖项的最新方法不同，我们的解决方案以代码为中心，并结合静态和动态分析来确定库中易受攻击部分的可达性，在给定的上下文中应用。我们的方法还支持开发人员在现有的无漏洞库版本中进行选择，目的是确定和最小化不兼容性。Eclipse Steady ，我们以代码为中心和基于使用的方法的开源实现是推荐在 SAP 扫描 Java 软件产品的工具；它已成功用于对大约 1500 个应用程序执行超过一百万次的扫描。在本文中，我们报告了从研究原型到工业级解决方案的成熟工具的经验教训。为了评估 Eclipse Steady，我们进行了一项实证研究，将其检测能力与 OWASP Dependency Check ( OWASP DC ) 的检测能力进行比较，扫描了 300 个正在开发的大型企业应用程序，共 78165 个依赖项。审查仅由两个工具之一报告的调查结果样本显示，所有 Steady 调查结果都是真阳性，而 OWASP DC 对我们以代码为中心的方法所涵盖的漏洞的调查结果中有 88.8% 是假阳性。对于不是由代码引起但由于例如错误配置引起的漏洞，OWASP DC 调查结果的 63.3% 为真阳性。