开源软件组件漏洞检测与自动修复技术研究综述

doi:10.11896/jsjkx.240400023

摘要/Abstract

摘要： 不可阻挡的软件组件化趋势与多人协同作业模式的开发过程促使开源软件供应链逐渐形成,在蓬勃发展的开源软件带来巨大便利的同时,开源漏洞随着供应链悄然而至,威胁着软件系统的安全性和可靠性。软件成分分析可对维护脆弱的开源软件供应链的安全起到实质性的支撑作用,它通过开源软件组件漏洞检测与自动修复两个核心功能发现并修复软件项目中潜在的漏洞和风险。为加深相关研究人员对软件成分分析在安全漏洞方面的实践的了解,文中梳理归纳了近年的开源软件组件漏洞检测与自动修复技术的研究进展与成果;进一步地,从用户视角出发,基于8个分析维度对目前常见的8种软件成分分析工具进行了总结与探析;最后,探讨了开源软件组件漏洞检测与自动修复技术现存的挑战并展望了未来可能的发展方向。

关键词: 开源软件供应链, 软件成分分析, 组件漏洞检测, 自动修复

Abstract: The unstoppable trend of software componentization and the development process of collaborative work mode by multiple individuals have led to the gradual formation of open-source software supply chains.While flourishing open-source software brings great convenience,open-source vulnerabilities quietly emerge along the supply chain,posing a threat to the security and reliability of software systems.Software composition analysis technology can provide substantial support for maintaining the security of fragile open-source software supply chains.It discovers and fixes potential vulnerabilities and risks in software projects through two core functions:open-source software component vulnerability detection and automatic repair.To deepen the understanding of relevant researchers on the practical application of software component analysis in security vulnerabilities,this paper reviews and summarizes the research progress and achievements in recent years on open-source software component vulnerability detection and automatic repair technologies.Furthermore,starting from the users' perspective,a summary and analysis of eight common software composition analysis tools based on eight analysis dimensions are provided.Finally,the existing challenges of open-source software component vulnerability detection and automatic repair technology are discussed,and their possible future development directions are explored.

Key words: Open-source software supply chain, Software component analysis, Component vulnerability detection, Automatic repair

中图分类号:

TP311

张旭明, 史涯晴, 黄松, 王兴亚, 胡津昌, 陆江涛. 开源软件组件漏洞检测与自动修复技术研究综述[J]. 计算机科学, 2025, 52(6): 1-20. https://doi.org/10.11896/jsjkx.240400023

ZHANG Xuming, SHI Yaqing, HUANG Song, WANG Xingya, HU Jinchang, LU Jiangtao. Survey of Open-source Software Component Vulnerability Detection and Automatic RepairTechnology[J]. Computer Science, 2025, 52(6): 1-20. https://doi.org/10.11896/jsjkx.240400023

参考文献

[1]2023 China Software Supply Chain Security Analysis Report[EB/OL].https://www.qianxin.com/threat/reportdetail?report_id=297/.
[2]JI S L,WANG Q Y,CHEN A Y,et al.Survey on Open-source Software Supply Chain Security[J].Ruan Jian Xue Bao/Journal of Software,2023,34(3):1330-1364.
[3]Log4shell[EB/OL].https://issues.apache.org/jira/browse/LOG4J2-3293/.
[4]State of Open Source Security 2022[EB/OL].https://snyk.io/reports/open-source-security-2022/.
[5]WERMKE D,KLEMMER J H,WÖHLER N,et al.AlwaysContribute Back:A Qualitative Study on Security Challenges of the Open Source Supply Chain[C]//2023 IEEE Symposium on Security and Privacy(SP).2023:1545-1560.
[6]ZHAO L,CHEN S,XU Z,et al.Software Composition Analysis for Vulnerability Detection:An Empirical Study on Java Projects[C]//Proceedings of the 31th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering.Association for Computing Machinery,2023.
[7]IMTIAZ N,THORN S,WILLIAMS L.A comparative study of vulnerability reporting by software composition analysis tools[C]//Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement(ESEM).Association for Computing Machinery,2021.
[8] Software composition analysis[EB/OL].https://en.wikipe-dia.org/wiki/Software_composition_analysis.
[9]KITCHENHAM B,CHARTERS S.Guidelines for performingSystematic Literature Reviews in Software Engineering[EB/OL].https://www.researchgate.net/publication/302924724_Guidelines_for_performing_Systematic_Literature_Reviews_in_Software_Engineering
[10]OWASP Top Ten[EB/OL].https://owasp.org/www-project-dependency-check/.
[11]YE H,CHEN W,DOU W,et al.Knowledge-based environment dependency inference for python programs[C]//Proceedings of the 44th International Conference on Software Engineering.Association for Computing Machinery,2022:1245-1256.
[12]KIKAS R,GOUSIOS G,DUMAS M,et al.Structure and evolution of package dependency networks[C]//Proceedings of the 14th International Conference on Mining Software Repositories.IEEE Press,2017:102-112.
[13]MIR A M,KESHANI M,PROKSCH S.On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem[C]//2023 IEEE International Conference on Software Analysis,Evolution and Reengineering(SANER).2023:201-211.
[14]COX R.Surviving software dependencies[J].Communications of the ACM,2019,62(9):36-43.
[15]IMTIAZ N,KHANOM A,WILLIAMS L.Open or Sneaky?Fast or Slow? Light or Heavy?:Investigating Security Releases of Open Source Packages[J].IEEE Transactions on Software Engineering,2023,49(4):1540-1560.
[16]CHINTHANET B,KULA R G,MCINTOSH S,et al.Lags in the release,adoption,and propagation of npm vulnerability fixes[J].Empirical Software Engineering,2021,26(3):47.
[17]LI X,MORESCHINI S,ZHANG Z,et al.The anatomy of a vulnerability database:A systematic mapping study[J].Journal of Systems and Software,2023,201:111679.
[18]ALQAHTANI S S.A study on the use of vulnerabilities databases in software engineering domain[J].Computers & Security,2022,116:102661.
[19]LI F,PAXSON V.A Large-Scale Empirical Study of SecurityPatches[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.Association for Computing Machinery,2017:2201-2215.
[20]DüSING J,HERMANN B.Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories[J].Digital Threats,2022,3(4):1-25.
[21]ZEROUALI A,MENS T,DECAN A,et al.On the impact of se-curity vulnerabilities in the npm and RubyGems dependency networks[J].Empirical Software Engineering,2022,27(5):107.
[22]IANNONE E,GUADAGNI R,FERRUCCI F,et al.The Secret Life of Software Vulnerabilities:A Large-Scale Empirical Study[J].IEEE Transactions on Software Engineering,2023,49(1):44-63.
[23]WANG Y,SUN P,PEI L,et al.Plumber:Boosting the Propagation of Vulnerability Fixes in the npm Ecosystem[J].IEEE Transactions on Software Engineering,2023,49(5):3155-3181.
[24]Apache Project Security Information[EB/OL].https://security.apache.org/projects/.
[25]Microsoft[EB/OL].https://msrc.microsoft.com/update-guide/vulnerability/.
[26]Openwall[EB/OL].https://www.openwall.com/lists/oss-security/.
[27]LI Z,YU Y,WANG T,et al.To Follow or Not to Follow:Understanding Issue/Pull-Request Templates on GitHub[J].IEEE Transactions on Software Engineering,2023,49(4):2530-2544.
[28]CVE[EB/OL].https://cve.mitre.org/.
[29]NVD[EB/OL].https://nvd.nist.gov/.
[30]CNVD[EB/OL].https://www.cnvd.org.cn/.
[31]CNNVD[EB/OL].https://www.cnnvd.org.cn/home/loophole.
[32]OSV DB[EB/OL].https://osv.dev/list.
[33]GitHub Security Advisory[DB/OL].https://github.com/github/advisory-database/.
[34]SemVer[EB/OL].https://semver.org/https://semver.org/.
[35]XU T T,LIU K,XIA X.Survey on Automated Vulnerability Repair[J].Ruan Jian Xue Bao/Journal of Software,2024,35(1):136-158.
[36]SENANAYAKE J,KALUTARAGE H,AL-KADRI M O,et al.Android Source Code Vulnerability Detection:A Systematic Literature Review[J].ACM ComputIng Surveys,2023,55(9):1-37.
[37]DANN A,PLATE H,HERMANN B,et al.Identifying Challenges for OSS Vulnerability Scanners－A Study & Test Suite[J].IEEE Transactions on Software Engineering,2022,48(9):3613-3625.
[38]WATTANAKRIENGKRAI S,WANG D,KULA R G,et al.Giving Back:Contributions Congruent to Library Dependency Changes in a Software Ecosystem[J].IEEE Transactions on Software Engineering,2023,49(4):2566-2579.
[39]CHINTHANET B,PONTA S E,PLATE H,et al.Code-Based Vulnerability Detection in Node.js Applications:How far are we?[C]//2020 35th IEEE/ACM International Conference on Automated Software Engineering(ASE).2020:1199-1203.
[40]PONTA S E,PLATE H,SABETTA A.Beyond Metadata:Code-Centric and Usage-Based Analysis of Known Vulnerabilities in Open-Source Software[C]//2018 IEEE International Conference on Software Maintenance and Evolution(ICSME).2018:449-460.
[41]PLATE H,PONTA S E,SABETTA A.Impact assessment for vulnerabilities in open-source software libraries[C]//2015 IEEE International Conference on Software Maintenance and Evolution(ICSME).2015:411-420.
[42]DECAN A,MENS T,CONSTANTINOU E.On the Impact ofSecurity Vulnerabilities in the npm Package Dependency Network[C]//2018 IEEE/ACM 15th International Conference on Mining Software Repositories(MSR).2018:181-191.
[43]LIU C,CHEN S,FAN L,et al.Demystifying the vulnerability propagation and its evolution via dependency trees in the NPM ecosystem[C]//Proceedings of the 44th International Conference on Software Engineering.Association for Computing Machinery.2022:672-684.
[44]HORTON E,PARNIN C.DockerizeMe:Automatic Inference of Environment Dependencies for Python Code Snippets[C]//2019 IEEE/ACM 41st International Conference on Software Engineering(ICSE).2019:328-338.
[45]WOO S,PARK S,KIM S,et al.CENTRIS:A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse[C]//2021 IEEE/ACM 43rd International Conference on Software Engineering(ICSE).2021:860-872.
[46]WU J,XU Z,TANG W,et al.OSSFP:Precise and Scalable C/C++ Third-Party Library Detection using Fingerprinting Functions[C]//2023 IEEE/ACM 45th International Conference on Software Engineering(ICSE).2023:270-282.
[47]JIANG L,YUAN H,TANG Q,et al.Third-Party Library Dependency for Large-Scale SCA in the C/C++ Ecosystem:How Far Are We?[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.Association for Computing Machinery,2023:1383-1395.
[48]DUAN R,BIJLANI A,XU M,et al.Identifying Open-Source License Violation and 1-day Security Risk at Large Scale[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.Association for Computing Machinery,2017:2169-2185.
[49]OHM M,SYKOSCH A,MEIER M.Towards detection of software supply chain attacks by forensic artifacts[C]//Proceedings of the 15th International Conference on Availability,Reliability and Security.Association for Computing Machinery,2020.
[50]DING S H H,FUNG B C M,CHARLAND P.Asm2Vec:Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization[C]//2019 IEEE Symposium on Security and Privacy(SP).2019:472-489.
[51]PASHCHENKO I,PLATE H,PONTA S E,et al.Vulnerableopen source dependencies:counting those that matter[C]//Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement.Association for Computing Machinery,2018.
[52]LAUINGER T,CHAABANE A,WILSON C.Thou Shalt Not Depend on Me:A look at JavaScript libraries in the wild[J].Queue,2018,16(1):62-82.
[53]TANG W,XU Z,LIU C,et al.Towards Understanding Third-party Library Dependency in C/C++ Ecosystem[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering.Association for Computing Machinery,2023.
[54]libraries.io[DB/OL].https://libraries.io/.
[55]KULA R G,GERMAN D M,OUNI A,et al.Do developers update their library dependencies?[J].Empirical Software Engineering,2018,23(1):384-417.
[56]ZIMMERMANN M,STAICU C A,TENNY C,et al.Smallworld with high risks:a study of security threats in the npm ecosystem[C]//Proceedings of the 28th USENIX Conference on Security Symposium.USENIX Association,2019:995-1010.
[57]DONG Y,GUO W,CHEN Y,et al.Towards the detection of inconsistencies in public security vulnerability reports[C]//Proceedings of the 28th USENIX Conference on Security Symposium.USENIX Association,2019:869-885.
[58]BAO L,XIA X,HASSAN A E,et al.V-SZZ:Automatic Identification of Version Ranges Affected by CVE Vulnerabilities[C]//2022 IEEE/ACM 44th International Conference on Software Engineering(ICSE).2022:2352-2364.
[59]MU D,CUEVAS A,YANG L,et al.Understanding the reproducibility of crowd-reported security vulnerabilities[C]//27th USENIX Security Symposium.USENIX Association,2018:919-936.
[60]ANTLR[DB/OL].https://www.antlr.org/.
[61]eclipse steady[DB/OL].https://github.com/eclipse/steady.
[62]NAIST-SE/steady[DB/OL].https://github.com/NAIST-SE/.steady/
[63]OWASP Dependency Check[DB/OL].https://owasp.org/www-project-dependency-track.
[64]WU Q,HUANG H,TANG Y,et al.Source Snippet Binary:AMethod for Searching Vulnerable Source Code Snippets in Binaries[C]//2021 IEEE International Symposium on Software Reliability Engineering Workshops(ISSREW).2021:288-289.
[65]HEJDERUP J,BELLER M,TRIANTAFYLLOU K,et al.Präzi:from package-based to call-based dependency networks[J].Empirical Software Engineering,2022,27(5):102.
[66]LATENDRESSE J,MUJAHID S,COSTA D E,et al.Not AllDependencies are Equal:An Empirical Study on Production Dependencies in NPM[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering.Association for Computing Machinery,2023.
[67]PASHCHENKO I,PLATE H,PONTA S E,et al.Vuln4Real:A Methodology for Counting Actually Vulnerable Dependencies[J].IEEE Transactions on Software Engineering,2022,48(5):1592-1609.
[68]MIRANDA A,PIMENTEL J.On the use of package managers by the C++ open-source community[C]//Proceedings of the 33rd Annual ACM Symposium on Applied Computing.Association for Computing Machinery,2018:1483-1491.
[69]DONG Y W,ZHANG H B,LI Y J.Acodes reinforcement method for embedded software security vulnerability[J].Aerospace Control and Application,2021,47(2):17-24.
[70]FADLALLAH Y,SBEITI M,HAMMOUD M,et al.On the Cyber Security of Lebanon:A Large Scale Empirical Study of Critical Vulnerabilities[C]//2020 8th International Symposium on Digital Forensics and Security(ISDFS).2020:1-6.
[71]XU C,CHEN B,LU C,et al.Tracking patches for open source software vulnerabilities[C]//Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering.Association for Computing Machinery,2022:860-871.
[72]MACHIRY A,REDINI N,CAMELLINI E,et al.SPIDER:Enabling Fast Patch Propagation In Related Software Repositories[C]//2020 IEEE Symposium on Security and Privacy(SP).2020:1562-1579.
[73]KIM S,WOO S,LEE H,et al.VUDDY:A Scalable Approach for Vulnerable Code Clone Discovery[C]//2017 IEEE Symposium on Security and Privacy(SP).2017:595-614.
[74]TAN X,ZHANG Y,MI C,et al.Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.Association for Computing Machinery,2021:3282-3299.
[75]WANG X,SUN K,BATCHELLER A,et al.Detecting "0-Day" Vulnerability:An Empirical Study of Secret Security Patch in OSS[C]//2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).2019:485-492.
[76]TAN X,ZHANG Y,CAO J,et al.Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects[C]//Proceedings of the ACM Web Conference 2022.Association for Computing Machinery,2022:767-777.
[77]WANG X,WANG S,FENG P,et al.PatchDB:A Large-ScaleSecurity Patch Dataset[C]//2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).2021:149-160.
[78]HE R,HE H,ZHANG Y,et al.Automating Dependency Up-dates in Practice:An Exploratory Study on GitHub Dependabot[J].IEEE Transactions on Software Engineering,2023,49(8):4004-4022.
[79]WANG Y,WU R,WANG C,et al.Will Dependency Conflicts Affect My Program's Semantics?[J].IEEE Transactions on Software Engineering,2022,48(7):2295-2316.
[80]ZHANG L,LIU C,XU Z,et al.Has My Release Disobeyed Semantic Versioning? Static Detection Based on Semantic Differencing[C]//Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering.Association for Computing Machinery,2023.
[81]WANG Y,WEN M,WU R,et al.Could I Have a Stack Trace to Examine the Dependency Conflict Issue?[C]//2019 IEEE/ACM 41st International Conference on Software Engineering(ICSE).2019:572-583.
[82]WANG Y,WEN M,LIU Y,et al.Watchman:Monitoring De-pendency Conflicts for Python Library Ecosystem[C]//2020 IEEE/ACM 42nd International Conference on Software Engineering(ICSE).2020:125-135.
[83]ZHANG L,LIU C,XU Z,et al.Compatible Remediation onVulnerabilities from Third-Party Libraries for Java Projects[C]//2023 IEEE/ACM 45th International Conference on Software Engineering(ICSE).2023:2540-2552.
[84]JIA Z,LI S,YU T,et al.DepOwl:Detecting Dependency Bugs to Prevent Compatibility Failures[C]//2021 IEEE/ACM 43rd International Conference on Software Engineering(ICSE).2021:86-98.
[85]FALLERI J R,MORANDAT F,BLANC X,et al.Fine-grained and accurate source code differencing[C]//Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering.Association for Computing Machinery,2014:313-324.
[86]EvoSuite[DB/OL].https://www.evosuite.org/.
[87]WANG Y,WEN M,LIU Z,et al.Do the dependency conflicts in my project matter?[C]//Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.Association for Computing Machinery,2018:319-330.
[88]CAO Y,CHEN L,MA W,et al.Towards Better DependencyManagement:A First Look at Dependency Smells in Python Projects[J].IEEE Transactions on Software Engineering,2023,49(4):1741-1765.
[89]CHENG W,ZHU X,HU W.Conflict-aware inference of python compatible runtime environments with domain knowledge graph[C]//Proceedings of the 44th International Conference on Software Engineering.Association for Computing Machinery,2022:451-461.
[90]HORTON E,PARNIN C.Gistable:Evaluating the Executability of Python Code Snippets on GitHub[C]//2018 IEEE International Conference on Software Maintenance and Evolution(ICSME).2018:217-227.
[91]HEJDERUP J,GOUSIOS G.Can we trust tests to automate de-pendency updates? A case study of Java Projects[J].Journal of Systems and Software,2022,183:111097.
[92]ZAPATA R E,KULA R G,CHINTHANET B,et al.Towards Smoother Library Migrations:A Look at Vulnerable Dependency Migrations at Function Level for npm JavaScript Packages[C]//2018 IEEE International Conference on Software Maintenance and Evolution(ICSME).2018:559-563.
[93]ANWAR A,ABUSNAINA A,CHEN S,et al.Cleaning theNVD:Comprehensive Quality Assessment,Improvements,and Analyses[J].IEEE Transactions on Dependable and Secure Computing,2022,19(6):4255-4269.
[94]MARANDI M,BERTIA A,SILAS S.Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline[C]//2023 World Conference on Communication & Computing(WCONF).2023:1-6.
[95]PONTA S E,PLATE H,SABETTA A.Detection,assessment and mitigation of vulnerabilities in open source dependencies[J].Empirical Software Engineering,2020,25(5):3175-3215.
[96]mend[DB/OL].https://www.mend.io/sca/.
[97]Black Duck[EB/OL].https://www.synopsys.com/zh-cn/soft-ware-integrity/security-testing/software-composition-analysis.html.
[98]Snyk Open Source[EB/OL].https://snyk.io/product/open-source-security-management/.
[99]Forrester[EB/OL].https://www.forrester.com/report/the-forrester-wave-tm-software-composition-analysis-q2-2023/RES178483?ref_search=0_1711441921933.
[100]Sonatype[EB/OL].https://www.sonatype.com/products/open-source-security-dependency-management.
[101]Veracode[EB/OL].https://www.veracode.com/products/soft-ware-composition-analysis.
[102]Scantist[EB/OL].https://www.scantist.cn/product/sca.
[103]NGUYEN V H,DASHEVSKYI S,MASSACCI F.An automaticmethod for assessing the versions affected by a vulnerability[J].Empirical Software Engineering,2016,21(6):2268-2297.

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed