On average, 71% of the code in typical Java projects comes from open-source software (OSS) dependencies, making OSS dependencies the dominant component of modern software code bases. This high degree of OSS reliance comes with a considerable security risk of adding known security vulnerabilities to a code base. To remedy this risk, researchers and companies have developed various dependency scanners, which try to identify inclusions of known-to-be-vulnerable OSS dependencies. However, there are still challenges that modern dependency scanners do not overcome, especially when it comes to dependency modifications, such as re-compilations, re-bundlings or re-packagings, which are common in the Java ecosystem. To overcome these challenges, we present Jaralyzer, a bytecode-centric dependency scanner for Java. Jaralyzer does not rely on the metadata or the source code of the included OSS dependencies being available but directly analyzes a dependency's bytecode. Our evaluation across 56 popular OSS components demonstrates that Jaralyzer outperforms other popular dependency scanners in detecting vulnerabilities within modified dependencies. It is the only scanner capable of identifying vulnerabilities across all the above mentioned types of modifications. But even when applied to unmodified dependencies, Jaralyzer outperforms the current state-of-the-art code-centric scanner Eclipse Steady by detecting 28 more true vulnerabilities and yielding 29 fewer false warnings.
翻译:在典型的Java项目中,平均有71%的代码来自开源软件(OSS)依赖,这使得OSS依赖成为现代软件代码库的主导组成部分。这种高度的OSS依赖带来了相当大的安全风险,即可能将已知安全漏洞引入代码库。为缓解此风险,研究机构与企业已开发出多种依赖扫描工具,旨在识别已知漏洞OSS依赖的引入。然而,现代依赖扫描工具仍面临诸多挑战,特别是在处理依赖修改(如重编译、重打包或重构包结构)时尤为突出,而这在Java生态系统中十分常见。为应对这些挑战,我们提出了Jaralyzer——一种面向字节码的Java依赖扫描工具。Jaralyzer不依赖于所包含OSS依赖的元数据或源代码的可用性,而是直接分析依赖项的字节码。通过对56个流行OSS组件的评估,我们证明Jaralyzer在检测修改后依赖中的漏洞方面优于其他主流依赖扫描工具。它是唯一能够识别上述所有类型修改中漏洞的扫描器。即使在应用于未修改依赖时,Jaralyzer也优于当前最先进的代码中心扫描器Eclipse Steady:多检测出28个真实漏洞,同时减少29个误报警报。