In software development the use of frameworks and external libraries is an inevitable part of creating efficient software solutions. When a program is dependent on another program it forms a dependency. In case a dependency is vulnerable, it proposes a security issue in your software project. The tool called Security Vulnerability Detection (SeVu) was developed to detect vulnerabilities in a Git repository for Maven and Node build roots.
We want to detect possible security risks through vulnerable dependencies. In order to reach this goal, each sub goal has to be achieved:
Projects in the IT world are usually depending on libraries and frameworks to gain efficiency. Developers avoid reinventing the wheel. Sometimes dependencies are even integrated without noticing. Therefore, it is hard to keep track of all the different dependencies. Each one may be faulty or not compatible with each other, then it is referred to as a vulnerable dependency (a vulnerability). Vulnerabilities pose security risks. The aggregating amount of dependencies and the loss of control over their impact is a state-of-the-art problem. The customer Mibex Software GmbH would like to have a product, that is able to detect these vulnerabilities from a given Git repository.
SeVu saves the vulnerabilities of the database successfully. The modified feed of the database is automatically retrieved; therefore, an up-to-date database is guaranteed. JGit enables SeVu to extract the branches of a Git repository without downloading it. Therefore, the display of branches is very fast. SeVu then downloads the repository and extracts the repository meta data and deletes the temporary folder where the repository was stored. The dependency extraction of the build roots is precise and performant. SeVu supports the desired build roots Maven and Node. The use of Maven and NPM itself guarantees the exact resolving of transitive dependencies which is a difficult task. It is uncomplicated to add another build root such as Gradle. SeVu is able to find all vulnerabilities of the given test set in a performant fashion. The chosen database (mongoDB) allows for multiple indexes and therefore speeds up the search for a given, indexed field of a vulnerability dependency. The performance tests show that comparing a project�s dependencies to the database is very fast and is not really affected by the amount of dependencies.
Mibex Software GmbH Rautistrasse 60 CH-8048 Z�rich
www.mibexsoftware.com/Martin Kropp, martin.kropp@fhnw.ch
