| Open source component libraries are widely used in software development.However,vulnerabilities of these components can threaten software security as they spread.Therefore,the industry commonly uses Software Composition Analysis(SCA)technology to detect the security of open source components in software.With the acceleration of software iteration,SCA is difficult to cover every version of software.Therefore,the industry has alleviated this problem by moving SCA to the early stage of software development through secure shifting.This article finds through a validation experiment that there are differences in SCA tool detection results between secure shifting and traditional scenarios,which can lead to open source component security issues not being discovered and resolved in a timely manner,thereby causing network security problems.In addition,there are shortcomings in the evaluation research of SCA in secure shifting,which hinders its improvement potential.To solve these problems,this article proposes a method for evaluating SCA and evaluates multiple SCA tools using this method.Based on the evaluation results,the article explores the common problems and improvement potential of SCA tools.This article also improves the binary SCA method.The specific work is as follows:(1)This article proposes a SCA detection difference evaluation method based on scanning patterns.The method generates derivative datasets and SCA tool invocation instructions based on scanning patterns in different scenarios and calculates the degree of difference in scanning results between secure shifting and traditional scenarios.We evaluated the differences in multiple SCA tools caused by secure shifting using this method and analyzed the advantages,disadvantages,and reasons for differences in SCA tools.This evaluation method and analysis results can help users choose suitable SCA tools in different secure shifting scenarios.(2)This article analyzes the common problems of SCA tools in the evaluation results and explores their improvement potential.The results show that the binary SCA mode detects relatively fewer components and vulnerability information.This is mainly because the SCA tool cannot correctly identify the component library and version,and the detected results do not include component dependency information provided by the environment.In addition,the differences in the source code parsing mode of SCA are due to incomplete support for Maven configuration in SCA tools.These analysis results can provide new directions for subsequent SCA improvement research.(3)This article proposes a dependency analysis method based on multi-granularity feature mining and fuzzy hashing technology for the false positives and false negatives in the component dependency analysis method of SCA binary mode.This method can extract more detailed feature information from binary files and perform more efficient similarity matching.The experimental results show that this method is significantly better than existing methods in terms of execution efficiency,detection accuracy,and antiobfuscation ability.This proves that this method can effectively improve the reliability of SCA binary detection mode.In summary,this article has improved the shortcomings of SCA evaluation in secure shifting and improved the accuracy of dependency analysis.These works can effectively solve the open source component security issues caused by secure shifting. |
PDF Full Text Request