Litcius/Paper detail

Automated identification of libraries from vulnerability data

Stefanus Agus Haryono, Hong Jin Kang, Abhishek Sharma, Asankhaya Sharma, Andrew E. Santosa, Ang Ming Yi, David Lo

202217 citationsDOIOpen Access PDF

Abstract

Software engineers depend heavily on software libraries and have to update their dependencies once vulnerabilities are found in them. Software Composition Analysis (SCA) helps developers identify vulnerable libraries used by an application. A key challenge is the identification of libraries related to a given reported vulnerability in the National Vulnerability Database (NVD), which may not explicitly indicate the affected libraries. Recently, researchers have tried to address the problem of identifying the libraries from an NVD report by treating it as an extreme multi-label learning (XML) problem, characterized by its large number of possible labels and severe data sparsity. As input, the NVD report is provided, and as output, a set of relevant libraries is returned.

Topics & Concepts

Computer scienceIdentification (biology)Vulnerability (computing)XMLSoftwareKey (lock)Set (abstract data type)Data scienceInformation retrievalWorld Wide WebComputer securityProgramming languageBotanyBiologyWeb Application Security VulnerabilitiesNetwork Security and Intrusion DetectionAdvanced Malware Detection Techniques