Are Third-Party Libraries Secure? A Software Library Checker for Java
Nowadays, there are many software libraries for different purposes that are used by various projects. An application is only as secure as its weakest component; thus if an imported library includes a certain vulnerability, an application could get insecure. Therefore a widespread search for existing security flaws within used libraries is necessary. Big databases like the National Vulnerability Database (NVD) comprise reported security incidents and can be utilized to determine whether a software library is secure or not. This classification is a very time-consuming and exhausting task.
We have developed a tool-based automated approach for supporting developers in this complex task through heuristics embedded in an eclipse plugin. Documented vulnerabilities stored in databases will be taken into consideration for the security classification of libraries. Weaknesses do not always entail the same consequences; a scoring that identifies the criticality oriented on their potential consequences is applied. In this paper, a method for the enrichment of knowledge containing vulnerability databases is considered.
Our approach is focussing on the scope of software weaknesses, which are library reasoned and documented in vulnerability databases. The Java Library Checker was implemented as eclipse plugin for supporting developers to make potential insecure third-party libraries visible to them.
KeywordsSoftware library Vulnerability database Metadata
- 1.Acar, Y., Stransky, C., Wermke, D., Mazurek, M.L., Fahl, S.: Security developer studies with GitHub users: exploring a convenience sample. In: Symposium on Usable Privacy and Security (SOUPS) (2017)Google Scholar
- 2.Cheikes, B.A., Waltermire, D., Scarfone, K.: Common platform enumeration: naming specification version 2.3. NIST Interagency Report 7695, NIST-IR 7695 (2011)Google Scholar
- 3.de la Mora, F.L., Nadi, S.: Which library should I use? A metric-based comparison of software libraries (2018)Google Scholar
- 5.Giffhorn, D., Hammer, C.: Precise analysis of Java programs using JOANA. In: Cordy, J.R. (ed.) Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 267–268. IEEE, Piscataway (2008)Google Scholar
- 11.Watanabe, T., et al.: Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, pp. 14–24. IEEE, Piscataway (2017)Google Scholar