| Open source software is an important component in the software development process.It has improved the efficiency of software development,but it also brings challenges.Vulnerabilities spread widely along with the use of open source software,which has a profound impact on software security.With the popularity and increasing complexity of open source software,software vulnerability management has become increasingly important.There are three main problems in open source vulnerability management:Firstly,the evolution of software systems is becoming more frequent,resulting in vulnerabilities propagating with version iterations.Additionally,there is the problem of missing vulnerability attributes,which makes it difficult to determine when vulnerability is introduced and which software versions are affected.Secondly,the complexity of software is increasing,and clones are widely present within and between open source software.This can result in vulnerabilities appearing in multiple locations,and once a vulnerability appears in one location,the same vulnerability may appear in other locations.Existing clone management and vulnerability detection are not closely linked as a whole to provide services and support for proactively managing security risks in clones and tracking clone-incurred vulnerabilities.Finally,in the open source collaborative software development model,developers tend to prioritize third-party open source components,resulting in a complex network of dependencies between open source software.Developers do not always review the security of all dependent components,which leads to the propagation of vulnerabilities in the software dependency chain.To address these problems,vulnerability management of open source software is studied in the following three perspectives.In terms of software evolution-oriented vulnerability propagation,a method for managing vulnerabilities in software evolution is proposed for collecting and pre-processing vulnerability information from multiple data sources,and using vulnerability data to assess the security in software evolution.In order to assess software security,vulnerability attributes and security metrics are defined.To address the problem of missing vulnerability attributes,an algorithm is designed to determine the vulnerability introduction time.Apply the vulnerability management method to OpenBSD and Firefox for experimental analysis,and prove the effectiveness of the method.The results show that software get more secure during software evolution;vulnerabilities have a long lifetime in software and require continuous monitored;OpenBSD and Firefox are affected by similar vulnerability types,mainly memory management vulnerabilities;the severity of vulnerabilities in OpenBSD and Firefox is similar,but Firefox vulnerabilities are easier to exploit;the average vulnerability density of OpenBSD is 6.58 vulnerabilites/10~6 LOC,and the average vulnerability density of Firefox is 56.95 vulnerabilites/10~6 LOC,Firefox’s vulnerability density is almost one order of magnitude higher than OpenBSD’s,meaning Firefox is more vulnerable.In terms of clone-incurred vulnerability propagation,an approach for automatically managing clone-incurred vulnerabilities is proposed,and the notion of spatial clone-relation graph and temporal clone-relation graph is used to describe the clone landscape in software systems.The spatial clone-relation graph describes clone-based relationships between software programs,while the temporal clone-relation graph describes the evolution of clones in software over time.Clone management and vulnerability management are closely linked to form a cohesive whole,achieving the tracking of clone-incurred vulnerabilities.The clone-incurred vulnerability management approach is applied to analyze eight Ubuntu versions to track clone-incurred vulnerabilities.The results show that clones are prevalent,with about one-sixth of the codebase being clones;intra-program clones are often attributed to polymorphism or functional similarity between procedures,while inter-program clones are often attributed to shared code repositories and reuse of libraries;the clone surface of Linux remains stable at around 0.6,while the lifetime of 53%clones spans 8 Linux versions;clone-incurred vulnerability surface in Linux is small,while vulnerable clones and non-vulnerable clones have similar lifetimes.In terms of open source component-dependent vulnerability propagation,an approach for open source software vulnerability management based on knowledge graph is proposed.In order to slove the problem of file modification in open source component dependencies,the Simhash-based file dependency identification algorithm is designed to identify modified open source components;in order to slove the problem of false positives caused by nested dependencies in the component identification process,an open source component repository construction method with file feature indexing is proposed to identify the root source of files;and in order to slove the problem of complex open source component dependencies,a vulnerability knowledge graph for C/C++open source software was constructed to manage software dependencies and relations between vulnerabilities and software to track the propagation of vulnerabilities in component dependencies.On the given Github C/C++open source software dataset,the accuracy of open source component identification reaches94%.The results show that the number of vulnerabilities in open source components is growing;vulnerabilities in open source components propagate with the open source component dependency chain;vulnerable open source components and open source software can be identified using open source software vulnerability management based on knowledge graph.In summary,this thesis addresses the problems of vulnerability propagation in open source software,and manages the vulnerabilities in different dimensions,which can enhance understanding of the nature of vulnerabilities and their propagation patterns.This thesis not only enriches current practices in managing vulnerabilities in open source software but also provides novel ideas for improving software security. |
PDF Full Text Request