Impact assessment of third-party library vulnerabilities through vulnerability reachability analysis

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-09 DOI:10.1016/j.cose.2025.104546

Zhizhuang Jia, Chao Yang, Pengbin Feng, Xiaoyun Zhao, Xinghua Li, Jianfeng Ma

{"title":"Impact assessment of third-party library vulnerabilities through vulnerability reachability analysis","authors":"Zhizhuang Jia, Chao Yang, Pengbin Feng, Xiaoyun Zhao, Xinghua Li, Jianfeng Ma","doi":"10.1016/j.cose.2025.104546","DOIUrl":null,"url":null,"abstract":"<div><div>Modern software development increasingly relies on third-party libraries (TPLs) to accelerate development, yet this practice introduces security risks when vulnerabilities emerge in dependencies. When a new TPL vulnerability is disclosed, project maintainers must assess whether their projects are affected, a process that demands considerable developer effort. Vulnerability reachability analysis automates this process by evaluating whether a client program’s control flow can reach the vulnerable TPL function. Despite the numerous advantages, however, existing vulnerability reachability analysis fail to account for the impact of path constraints, leading to false alarms by incorrectly identifying unreachable vulnerable functions as reachable. In this paper, we propose CPVRA, a novel impact assessment framework designed to reduce false alarms by incorporating a satisfiability assessment of path constraints into the analysis process. We evaluated CPVRA using a benchmark dataset comprising 201 test cases derived from 6 widely used TPLs and 24 dependent client programs. The results show that CPVRA reduced false alarms by 40.9% compared to Dep-scan and by 39.5% compared to standard vulnerability reachability analysis. Additionally, CPVRA demonstrated high computational efficiency, with an average analysis time of 15.3 s per client program.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104546"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002354","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Modern software development increasingly relies on third-party libraries (TPLs) to accelerate development, yet this practice introduces security risks when vulnerabilities emerge in dependencies. When a new TPL vulnerability is disclosed, project maintainers must assess whether their projects are affected, a process that demands considerable developer effort. Vulnerability reachability analysis automates this process by evaluating whether a client program’s control flow can reach the vulnerable TPL function. Despite the numerous advantages, however, existing vulnerability reachability analysis fail to account for the impact of path constraints, leading to false alarms by incorrectly identifying unreachable vulnerable functions as reachable. In this paper, we propose CPVRA, a novel impact assessment framework designed to reduce false alarms by incorporating a satisfiability assessment of path constraints into the analysis process. We evaluated CPVRA using a benchmark dataset comprising 201 test cases derived from 6 widely used TPLs and 24 dependent client programs. The results show that CPVRA reduced false alarms by 40.9% compared to Dep-scan and by 39.5% compared to standard vulnerability reachability analysis. Additionally, CPVRA demonstrated high computational efficiency, with an average analysis time of 15.3 s per client program.

查看原文本刊更多论文

通过漏洞可达性分析对第三方库漏洞进行影响评估

现代软件开发越来越依赖于第三方库（tpl）来加速开发，但是当依赖项中出现漏洞时，这种做法引入了安全风险。当新的TPL漏洞被披露时，项目维护者必须评估他们的项目是否受到影响，这一过程需要开发人员付出相当大的努力。漏洞可达性分析通过评估客户端程序的控制流是否能够到达易受攻击的TPL功能来自动化此过程。尽管有很多优点，但是，现有的漏洞可达性分析没有考虑到路径约束的影响，导致错误地将不可达的漏洞功能识别为可达，从而产生假警报。在本文中，我们提出了一种新的影响评估框架CPVRA，旨在通过将路径约束的满意度评估纳入分析过程来减少误报。我们使用基准数据集评估CPVRA，该数据集包含201个测试用例，这些测试用例来自6个广泛使用的tpl和24个依赖的客户端程序。结果表明，与深度扫描相比，CPVRA减少了40.9%的假警报，与标准漏洞可达性分析相比减少了39.5%。此外，CPVRA显示出很高的计算效率，每个客户端程序的平均分析时间为15.3 s。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.