Embedded Files
Go to
Introduction
Introduction
With the increasing disclosure of vulnerabilities in open-source software, software composition analysis (SCA) has been widely applied to reveal third-party libraries and the associated vulnerabilities in software projects. Beyond the revelation, SCA tools adopt various remediation strategies to fix vulnerabilities, the quality of which varies substantially. However, ineffective remediation could induce side effects, such as compilation failures, which impede acceptance by users. According to our studies, existing SCA tools cannot correctly handle the concerns of users regarding the compatibility of remediated projects. To this end, we propose Compatible Remediation of Third-party libraries (CORAL) for Maven projects to fix vulnerabilities without breaking the projects. The evaluation proved that CORAL not only fixed 87.56% of vulnerabilities which outperformed other tools (best 75.32%) and achieved a 98.67% successful compilation rate and a 92.96% successful unit test rate. Furthermore, we found that 78.45% of vulnerabilities in popular Maven projects could be fixed without breaking the compilation.
Overview
Overview
Main Contribution
Main Contribution
We proposed CORAL as a remediation tool for Maven projects to handle global optimization for enhanced security and compatibility.
We studied the concerns of users towards remediation suggestions by analyzing Pull Requests (PRs) and found that 51.31% of cases were related to incompatibility.
We empirically compared and analyzed strategies of popular remediation tools regarding their support of compatibility and prioritization for the reference of other researchers.
Research Questions
Research Questions
RQ1: How is CORAL compared with other cutting-edge remediation tools regarding security and compatibility?
RQ2: How effectively does CORAL resolve the challenge of global optimization by subgraph partitioning?
RQ3: How many vulnerabilities CAN/CANNOT be fixed without breaking the projects in the Maven ecosystem?
The source code is accessible at https://github.com/zly123987/coral
Page updated
Google Sites
Report abuse