English

The Dynamics of Software Composition Analysis

Software Engineering 2019-10-01 v2 Programming Languages

Abstract

Developers today use significant amounts of open source code, surfacing the need for ways to automatically audit and upgrade library dependencies, and giving rise to the subfield of Software Composition Analysis (SCA). SCA products are concerned with three tasks: discovering dependencies, checking the reachability of vulnerable code for false positive elimination, and automated remediation. The latter two tasks rely on call graphs of application and library code to check whether vulnerability-specific sinks identified in libraries are used by applications. However, statically-constructed call graphs introduce both false positives and false negatives on real-world projects. In this paper, we develop a novel, modular means of combining call graphs derived from both static and dynamic analysis to improve the performance of false positive elimination. Our experiments indicate significant performance improvements.

Keywords

Cite

@article{arxiv.1909.00973,
  title  = {The Dynamics of Software Composition Analysis},
  author = {Darius Foo and Jason Yeo and Hao Xiao and Asankhaya Sharma},
  journal= {arXiv preprint arXiv:1909.00973},
  year   = {2019}
}

Comments

ASE 2019, LBR

R2 v1 2026-06-23T11:03:41.688Z