It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.
Bodin CHINTHANET
Nara Institute of Science and Technology
Raula GAIKOVINA KULA
Nara Institute of Science and Technology
Rodrigo ELIZA ZAPATA
Nara Institute of Science and Technology
Takashi ISHIO
Nara Institute of Science and Technology
Kenichi MATSUMOTO
Nara Institute of Science and Technology
Akinori IHARA
Wakayama University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Bodin CHINTHANET, Raula GAIKOVINA KULA, Rodrigo ELIZA ZAPATA, Takashi ISHIO, Kenichi MATSUMOTO, Akinori IHARA, "SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages" in IEICE TRANSACTIONS on Information,
vol. E105-D, no. 1, pp. 19-20, January 2022, doi: 10.1587/transinf.2021MPL0001.
Abstract: It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2021MPL0001/_p
Copy
@ARTICLE{e105-d_1_19,
author={Bodin CHINTHANET, Raula GAIKOVINA KULA, Rodrigo ELIZA ZAPATA, Takashi ISHIO, Kenichi MATSUMOTO, Akinori IHARA, },
journal={IEICE TRANSACTIONS on Information},
title={SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages},
year={2022},
volume={E105-D},
number={1},
pages={19-20},
abstract={It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.},
keywords={},
doi={10.1587/transinf.2021MPL0001},
ISSN={1745-1361},
month={January},}
Copy
TY - JOUR
TI - SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages
T2 - IEICE TRANSACTIONS on Information
SP - 19
EP - 20
AU - Bodin CHINTHANET
AU - Raula GAIKOVINA KULA
AU - Rodrigo ELIZA ZAPATA
AU - Takashi ISHIO
AU - Kenichi MATSUMOTO
AU - Akinori IHARA
PY - 2022
DO - 10.1587/transinf.2021MPL0001
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E105-D
IS - 1
JA - IEICE TRANSACTIONS on Information
Y1 - January 2022
AB - It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.
ER -