Vulnerabilities in Red Hat’s packages
We show in an empirical study of 3241 Red Hat packages that software vulnerabilities correlate with dependencies between packages. With formal concept analysis and statistical hypothesis testing, we identify dependencies that decrease the risk of vulnerabilities or increase the risk.
Using prediction models, we can classify Red Hat packages as vulnerable with a median precision of 83% and median recall of 65%. Our findings help developers to choose new dependencies wisely and make them aware of risky dependencies.
Predicting vulnerable software components
Where do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect base for further investigations on what makes components vulnerable.
In an investigation of the Mozilla vulnerability history, we surprisingly found that components that had a single vulnerability in the past were generally not likely to have further vulnerabilities. However, components that had similar imports or function calls were likely to be vulnerable. Based on this observation, we were able to extend Vulture by a simple predictor.
This allows developers and project managers to focus their their efforts where it is needed most: “We should look at nsXPInstallManager because it is likely to contain yet unknown vulnerabilities.”
Predicting Vulnerable Software Components – ACM CCS 2007