Abstract
Nowadays, there are many software libraries for different purposes that are used by various projects. An application is only as secure as its weakest component; thus if an imported library includes a certain vulnerability, an application could get insecure. Therefore a widespread search for existing security flaws within used libraries is necessary. Big databases like the National Vulnerability Database (NVD) comprise reported security incidents and can be utilized to determine whether a software library is secure or not. This classification is a very time-consuming and exhausting task.
We have developed a tool-based automated approach for supporting developers in this complex task through heuristics embedded in an eclipse plugin. Documented vulnerabilities stored in databases will be taken into consideration for the security classification of libraries. Weaknesses do not always entail the same consequences; a scoring that identifies the criticality oriented on their potential consequences is applied. In this paper, a method for the enrichment of knowledge containing vulnerability databases is considered.
Our approach is focussing on the scope of software weaknesses, which are library reasoned and documented in vulnerability databases. The Java Library Checker was implemented as eclipse plugin for supporting developers to make potential insecure third-party libraries visible to them.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Maven Repository: https://mvnrepository.com/popular (06.2018).
- 2.
Common Vulnerabilities and Exposures: https://cve.mitre.org/about/ (10.2017).
- 3.
CVE-Search: https://nvd.nist.gov/vuln/search/ (06.2018).
- 4.
US-Cert Security the Weakest Link: https://goo.gl/ZCuCc8 (06.2018).
- 5.
Semantic Versioning: http://semver.org/ (10.2017).
- 6.
ORACLE: JAR File Specification: https://goo.gl/dTR3xr (10.2017).
- 7.
Most Demand Programming Languages: https://goo.gl/XiWcMw (06.2018).
References
Acar, Y., Stransky, C., Wermke, D., Mazurek, M.L., Fahl, S.: Security developer studies with GitHub users: exploring a convenience sample. In: Symposium on Usable Privacy and Security (SOUPS) (2017)
Cheikes, B.A., Waltermire, D., Scarfone, K.: Common platform enumeration: naming specification version 2.3. NIST Interagency Report 7695, NIST-IR 7695 (2011)
de la Mora, F.L., Nadi, S.: Which library should I use? A metric-based comparison of software libraries (2018)
Fox, D.: Open web application security project. Datenschutz und Datensicherheit - DuD 30(10), 636 (2006)
Giffhorn, D., Hammer, C.: Precise analysis of Java programs using JOANA. In: Cordy, J.R. (ed.) Eighth IEEE International Working Conference on Source Code Analysis and Manipulation, pp. 267–268. IEEE, Piscataway (2008)
Hoepman, J.H., Jacobs, B.: Increased security through open source. Commun. ACM 50(1), 79–83 (2007)
Homaei, H., Shahriari, H.R.: Seven years of software vulnerabilities: The ebb and flow. IEEE Secur. Priv. 1, 58–65 (2017)
Hovemeyer, D., Pugh, W.: Finding bugs is easy. ACM SIGPLAN Not. 39(12), 92–106 (2004)
Louridas, P.: Static code analysis. IEEE Softw. 23(4), 58–61 (2006)
Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2009). Reprinted edn
Watanabe, T., et al.: Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps. In: 2017 IEEE/ACM 14th International Conference on Mining Software Repositories, pp. 14–24. IEEE, Piscataway (2017)
Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29044-2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Viertel, F.P., Kortum, F., Wagner, L., Schneider, K. (2019). Are Third-Party Libraries Secure? A Software Library Checker for Java. In: Zemmari, A., Mosbah, M., Cuppens-Boulahia, N., Cuppens, F. (eds) Risks and Security of Internet and Systems. CRiSIS 2018. Lecture Notes in Computer Science(), vol 11391. Springer, Cham. https://doi.org/10.1007/978-3-030-12143-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-12143-3_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12142-6
Online ISBN: 978-3-030-12143-3
eBook Packages: Computer ScienceComputer Science (R0)