| dc.contributor.author | Dashevskyi, S | |
| dc.contributor.author | Brucker, AD | |
| dc.contributor.author | Massacci, F | |
| dc.date.accessioned | 2019-12-09T11:33:49Z | |
| dc.date.issued | 2018-03-15 | |
| dc.description.abstract | Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the old deployed version. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. To address this challenge we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all. | en_GB |
| dc.identifier.citation | Vol. 45: pp. 945 - 966 | en_GB |
| dc.identifier.doi | 10.1109/TSE.2018.2816033 | |
| dc.identifier.uri | http://hdl.handle.net/10871/40027 | |
| dc.language.iso | en | en_GB |
| dc.publisher | Institute of Electrical and Electronics Engineers (IEEE) | en_GB |
| dc.rights | © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be
obtained for all other uses, in any current or future media, including
reprinting/republishing this material for advertising or promotional purposes, creating new
collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted
component of this work in other works. | en_GB |
| dc.subject | Security maintenance | en_GB |
| dc.subject | security vulnerabilities | en_GB |
| dc.subject | patch management | en_GB |
| dc.subject | free and open source software | en_GB |
| dc.title | A screening test for disclosed vulnerabilities in FOSS components | en_GB |
| dc.type | Article | en_GB |
| dc.date.available | 2019-12-09T11:33:49Z | |
| dc.identifier.issn | 0098-5589 | |
| dc.description | This is the author accepted manuscript. The final version is available from the publisher via the DOI in this record | en_GB |
| dc.identifier.journal | IEEE Transactions on Software Engineering | en_GB |
| dc.rights.uri | http://www.rioxx.net/licenses/all-rights-reserved | en_GB |
| dcterms.dateAccepted | 2018-04-04 | |
| rioxxterms.version | AM | en_GB |
| rioxxterms.licenseref.startdate | 2018-03-15 | |
| rioxxterms.type | Journal Article/Review | en_GB |
| refterms.dateFCD | 2019-12-09T11:28:04Z | |
| refterms.versionFCD | AM | |
| refterms.dateFOA | 2019-12-09T11:33:54Z | |
| refterms.panel | B | en_GB |
