Enhancing Vulnerability Detection: A Comparative Study of Change Identification Methods Across Granularity Levels
More Info
expand_more
Abstract
Open source software (OSS) vulnerabilities form a real threat to the security of software that employs them.
Efforts to mitigate these risks exist in the form of dependency check tools, however these often suffer from imprecise warnings due to the utilization of only metadata.
This thesis investigates the use of CVEs in a more code-centric approach and the effect this has on the detection of vulnerability reachability in OSS dependencies.
This paper proposes an automated approach to enrich CVEs with preciser code-level information by leveraging references such as patches, repositories, and vulnerability databases.
This thesis then heads out to investigate the impact on accuracy of various (novel) approaches in terms of granularity (packages, classes, methods) and in terms of source for the patch information (link to a commit, PR of commits, or binary diff).
Our experimental results show that these code-centric approaches significantly improve vulnerability detection, achieving higher precision compared to traditional dependency checkers.
Additionally, we present the trade-offs between the different methods, highlighting their strengths and weaknesses.
Through this work, we show how utilizing code information into dependency analysis can substantially enhance the detection of vulnerable code paths, offering more accurate risk assessments in software ecosystems.