Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged to address those issues. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present an approach to detect cloned and shaded artifacts in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of an index, and uses a custom AST-based clone detection. Our analysis focuses on the detection of vulnerabilities in artifacts which use cloning or shading. Starting with eight vulnerabilities with assigned CVEs (four of those classified as critical) and proof-of-vulnerability projects demonstrating the presence of a vulnerability in an artifact, we query the Maven repository and retrieve over 16k potential clones of the vulnerable artifacts. After running our analysis on this set, we detect 554 artifacts with the respective vulnerabilities (49 if versions are ignored). We synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss these exposures.
翻译:现代软件高度依赖组件的使用。这些组件通常发布在中央仓库中,并通过构建系统以依赖项形式进行管理。由于漏洞、许可证和错误传播等问题,对这些依赖项的研究至关重要,众多软件成分分析工具应运而生以应对这些挑战。一个特殊的挑战在于隐藏依赖关系——它们源于克隆(cloning)或遮蔽(shading)操作,其中组件代码被"内联",且在遮蔽场景下被迁移至不同的命名空间。我们提出了一种在Maven仓库中检测克隆和遮蔽工件的方法。该方法具有轻量级特性,无需创建和维护索引,并采用基于AST的自定义克隆检测技术。我们的分析聚焦于检测使用克隆或遮蔽的工件中的漏洞。以八个已分配CVE编号(其中四个被归类为严重级)的漏洞和证明存在漏洞的验证项目为起点,我们查询Maven仓库并检索到超过16000个潜在易受攻击工件的克隆。在此基础上运行分析后,我们检测到554个存在相应漏洞的工件(忽略版本差异时为49个)。针对每个漏洞,我们合成了可测试的漏洞验证项目。研究表明,现有SCA工具往往未能识别这些暴露风险。