SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages
-
- CHINTHANET Bodin
- Nara Institute of Science and Technology
-
- GAIKOVINA KULA Raula
- Nara Institute of Science and Technology
-
- ELIZA ZAPATA Rodrigo
- Nara Institute of Science and Technology
-
- ISHIO Takashi
- Nara Institute of Science and Technology
-
- MATSUMOTO Kenichi
- Nara Institute of Science and Technology
-
- IHARA Akinori
- Wakayama University
抄録
<p>It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.</p>
収録刊行物
-
- IEICE Transactions on Information and Systems
-
IEICE Transactions on Information and Systems E105.D (1), 19-20, 2022-01-01
一般社団法人 電子情報通信学会
- Tweet
詳細情報 詳細情報について
-
- CRID
- 1390572092344362880
-
- NII論文ID
- 130008138808
-
- ISSN
- 17451361
- 09168532
-
- 本文言語コード
- en
-
- データソース種別
-
- JaLC
- Crossref
- CiNii Articles
- KAKEN
-
- 抄録ライセンスフラグ
- 使用不可