Effectiveness of using call graphs to detect propagated vulnerabilities

Abstract

Nowadays software development greatly relies upon using third-party source code. A logical consequence is that vulnerabilities from such sources can be propagated to applications making use of those. Tools like Dependabot can alert developers about packages they use, which entail vulnerabilities. Such alerts oftentimes turn out to be false positives because the vulnerable functionality of the package is not used. Current research by the FASTEN Project revolves around analysing dependency networks using a finer granularity; moving from package-level to method-level analysis with the help of call graphs. Such analysis can theoretically be used to gain better insights into how vulnerable a dependency for an application is. This report aims to display the practical effectiveness of using call graphs to detect propagated vulnerabilities. To evaluate the effectiveness, results generated through method-level analysis were studied with regards to whether a vulnerability in the corresponding project is reproducible. Furthermore, possible improvements to call graphs to detect vulnerabilities more accurately are described in this study. An experiment, based on call graph analysis, was conducted to detect propagated vulnerabilities in a set of public software repositories. The used data about the repositories and vulnerabilities was provided by the FASTEN Project. Each vulnerability detection was manually verified and studied on its impact based on public information about the corresponding vulnerability. The results of this experiment show that none of the potential propagated vulnerabilities could be reproduced. This implies that a greater set of repositories needs to be analysed to draw meaningful conclusions for the effectiveness of call graphs to detect propagated vulnerabilities. The proposed improvements to call graphs display a fraction of the great potential of the precision that could be reached through such fine-grained analysis.