Depex：用于分析和推理软件项目依赖关系中的漏洞的软件

IF 2.4 4区计算机科学 Q2 COMPUTER SCIENCE, SOFTWARE ENGINEERING

SoftwareX Pub Date : 2025-04-22 DOI:10.1016/j.softx.2025.102152

Antonio Germán Márquez, Ángel Jesús Varela-Vaca, María Teresa Gómez López, José A. Galindo, David Benavides

{"title":"Depex：用于分析和推理软件项目依赖关系中的漏洞的软件","authors":"Antonio Germán Márquez, Ángel Jesús Varela-Vaca, María Teresa Gómez López, José A. Galindo, David Benavides","doi":"10.1016/j.softx.2025.102152","DOIUrl":null,"url":null,"abstract":"<div><div>This paper presents Depex, a tool that allows developers to reason over the entire configuration space of the dependencies of an open-source software repository. The dependency information is extracted from the repository requirements files and the package managers of the dependencies, generating a graph that includes information regarding security vulnerabilities affecting the dependencies. The dependency graph allows automatic reasoning through the creation of a Boolean satisfiability model based on Satisfiability Modulo Theories (SMT). Automatic reasoning lets operations such as identifying the safest dependency configuration or validating if a particular configuration is secure. To demonstrate the impact of the proposal, it has been evaluated on more than 300 real open-source repositories of Python Package Index (PyPI), Node Package Manager (NPM) and Maven Central (Maven), as well as compared with current commercial tools on the market.</div></div>","PeriodicalId":21905,"journal":{"name":"SoftwareX","volume":"30 ","pages":"Article 102152"},"PeriodicalIF":2.4000,"publicationDate":"2025-04-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Depex: A software for analysing and reasoning about vulnerabilities in software projects dependencies\",\"authors\":\"Antonio Germán Márquez, Ángel Jesús Varela-Vaca, María Teresa Gómez López, José A. Galindo, David Benavides\",\"doi\":\"10.1016/j.softx.2025.102152\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>This paper presents Depex, a tool that allows developers to reason over the entire configuration space of the dependencies of an open-source software repository. The dependency information is extracted from the repository requirements files and the package managers of the dependencies, generating a graph that includes information regarding security vulnerabilities affecting the dependencies. The dependency graph allows automatic reasoning through the creation of a Boolean satisfiability model based on Satisfiability Modulo Theories (SMT). Automatic reasoning lets operations such as identifying the safest dependency configuration or validating if a particular configuration is secure. To demonstrate the impact of the proposal, it has been evaluated on more than 300 real open-source repositories of Python Package Index (PyPI), Node Package Manager (NPM) and Maven Central (Maven), as well as compared with current commercial tools on the market.</div></div>\",\"PeriodicalId\":21905,\"journal\":{\"name\":\"SoftwareX\",\"volume\":\"30 \",\"pages\":\"Article 102152\"},\"PeriodicalIF\":2.4000,\"publicationDate\":\"2025-04-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"SoftwareX\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2352711025001190\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"SoftwareX","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2352711025001190","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

摘要

本文介绍了Depex，它是一种工具，允许开发人员对开源软件存储库的依赖项的整个配置空间进行推理。依赖项信息是从存储库需求文件和依赖项的包管理器中提取出来的，生成一个图，其中包含有关影响依赖项的安全漏洞的信息。依赖图允许通过基于可满足性模理论（satisfiability Modulo Theories， SMT）的布尔可满足性模型的创建进行自动推理。自动推理允许诸如识别最安全的依赖项配置或验证特定配置是否安全之类的操作。为了证明该提案的影响，它已经在300多个真正的开源存储库(Python Package Index （PyPI), Node Package Manager （NPM）和Maven Central (Maven)）上进行了评估，并与市场上当前的商业工具进行了比较。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Depex: A software for analysing and reasoning about vulnerabilities in software projects dependencies

This paper presents Depex, a tool that allows developers to reason over the entire configuration space of the dependencies of an open-source software repository. The dependency information is extracted from the repository requirements files and the package managers of the dependencies, generating a graph that includes information regarding security vulnerabilities affecting the dependencies. The dependency graph allows automatic reasoning through the creation of a Boolean satisfiability model based on Satisfiability Modulo Theories (SMT). Automatic reasoning lets operations such as identifying the safest dependency configuration or validating if a particular configuration is secure. To demonstrate the impact of the proposal, it has been evaluated on more than 300 real open-source repositories of Python Package Index (PyPI), Node Package Manager (NPM) and Maven Central (Maven), as well as compared with current commercial tools on the market.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

SoftwareX COMPUTER SCIENCE, SOFTWARE ENGINEERING-

CiteScore

5.50

自引率

2.90%

发文量

184

审稿时长

9 weeks

期刊介绍： SoftwareX aims to acknowledge the impact of software on today''s research practice, and on new scientific discoveries in almost all research domains. SoftwareX also aims to stress the importance of the software developers who are, in part, responsible for this impact. To this end, SoftwareX aims to support publication of research software in such a way that: The software is given a stamp of scientific relevance, and provided with a peer-reviewed recognition of scientific impact; The software developers are given the credits they deserve; The software is citable, allowing traditional metrics of scientific excellence to apply; The academic career paths of software developers are supported rather than hindered; The software is publicly available for inspection, validation, and re-use. Above all, SoftwareX aims to inform researchers about software applications, tools and libraries with a (proven) potential to impact the process of scientific discovery in various domains. The journal is multidisciplinary and accepts submissions from within and across subject domains such as those represented within the broad thematic areas below: Mathematical and Physical Sciences; Environmental Sciences; Medical and Biological Sciences; Humanities, Arts and Social Sciences. Originating from these broad thematic areas, the journal also welcomes submissions of software that works in cross cutting thematic areas, such as citizen science, cybersecurity, digital economy, energy, global resource stewardship, health and wellbeing, etcetera. SoftwareX specifically aims to accept submissions representing domain-independent software that may impact more than one research domain.