{"title":"The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach","authors":"Giacomo Benedetti, Serena Cofano, Alessandro Brighente, Mauro Conti","doi":"arxiv-2409.06390","DOIUrl":null,"url":null,"abstract":"The Software Supply Chain (SSC) security is a critical concern for both users\nand developers. Recent incidents, like the SolarWinds Orion compromise, proved\nthe widespread impact resulting from the distribution of compromised software.\nThe reliance on open-source components, which constitute a significant portion\nof modern software, further exacerbates this risk. To enhance SSC security, the\nSoftware Bill of Materials (SBOM) has been promoted as a tool to increase\ntransparency and verifiability in software composition. However, despite its\npromise, SBOMs are not without limitations. Current SBOM generation tools often\nsuffer from inaccuracies in identifying components and dependencies, leading to\nthe creation of erroneous or incomplete representations of the SSC. Despite\nexisting studies exposing these limitations, their impact on the vulnerability\ndetection capabilities of security tools is still unknown. In this paper, we perform the first security analysis on the vulnerability\ndetection capabilities of tools receiving SBOMs as input. We comprehensively\nevaluate SBOM generation tools by providing their outputs to vulnerability\nidentification software. Based on our results, we identify the root causes of\nthese tools' ineffectiveness and propose PIP-sbom, a novel pip-inspired\nsolution that addresses their shortcomings. PIP-sbom provides improved accuracy\nin component identification and dependency resolution. Compared to\nbest-performing state-of-the-art tools, PIP-sbom increases the average\nprecision and recall by 60%, and reduces by ten times the number of false\npositives.","PeriodicalId":501332,"journal":{"name":"arXiv - CS - Cryptography and Security","volume":"166 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Cryptography and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.06390","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
The Software Supply Chain (SSC) security is a critical concern for both users
and developers. Recent incidents, like the SolarWinds Orion compromise, proved
the widespread impact resulting from the distribution of compromised software.
The reliance on open-source components, which constitute a significant portion
of modern software, further exacerbates this risk. To enhance SSC security, the
Software Bill of Materials (SBOM) has been promoted as a tool to increase
transparency and verifiability in software composition. However, despite its
promise, SBOMs are not without limitations. Current SBOM generation tools often
suffer from inaccuracies in identifying components and dependencies, leading to
the creation of erroneous or incomplete representations of the SSC. Despite
existing studies exposing these limitations, their impact on the vulnerability
detection capabilities of security tools is still unknown. In this paper, we perform the first security analysis on the vulnerability
detection capabilities of tools receiving SBOMs as input. We comprehensively
evaluate SBOM generation tools by providing their outputs to vulnerability
identification software. Based on our results, we identify the root causes of
these tools' ineffectiveness and propose PIP-sbom, a novel pip-inspired
solution that addresses their shortcomings. PIP-sbom provides improved accuracy
in component identification and dependency resolution. Compared to
best-performing state-of-the-art tools, PIP-sbom increases the average
precision and recall by 60%, and reduces by ten times the number of false
positives.