Recommended
More Related Content
What's hot
What's hot (16)
Similar to Say No to the Dependency Hell
Similar to Say No to the Dependency Hell (20)
Recently uploaded
Recently uploaded (20)
Say No to the Dependency Hell
- 1. Say No to the Dependency Hell IVAN PASHCHENKO Trento - 2019
- 2. whoami 2 Ivan Pashchenko • PhD candidate in Information Security at the University of Trento • Former Intern at SAP Security Research • Former Leading Security Engineer at Bashneft, Russia • S&T follower and attender (25 out 31 S&Ts) • Snowboarder, hiker, volleyball player
- 4. Nowadays software projects are highly interconnected 4 • Own code • Dependencies Own code Dependencies Software project
- 5. Dependencies? 5 - “..when a piece of software relies on another one”* Basically, separate packages, distributed via Maven, pip, npm, etc. *https://askubuntu.com/questions/361741/what-are-dependencies
- 6. You are writing code… This is a typical functionality, I do not want to invent a wheel – I will use already developed functionality. 6
- 7. And you use just one dependency… 7
- 8. 8 Welcome to the Dependency Hell
- 10. 10
- 14. When you have a dependency 14 𝑚1 𝑚2𝑦1𝑥1 𝑦2𝑢1 𝑧1 direct transitive Dependency tree
- 15. Current dependency analysis 15 0. Follow the updates in your software dependencies manually - Subscribe to mailing lists of your dependencies - Telegram channels - Talk to your friends - Analyze changelogs of the new releases - Receive a lot of spam…
- 16. Current dependency analysis tools 16 1. Github vulnerability alerts: Example: https://github.com/iluwatar/java-design-patterns/network/dependencies
- 17. Current dependency analysis tools 17 1. Github vulnerability alerts: Listing the packages that a repository depends on: https://help.github.com/articles/listing-the-packages-that-a-repository-depends-on/ Viewing and updating vulnerable dependencies in your repository: https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your- repository/ About security alerts for vulnerable dependencies: https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
- 18. Current dependency analysis tools 18 2. Snyk.io: Home page: https://snyk.io/ Introduction video: https://youtu.be/4ng5usM6fd8
- 19. Current dependency analysis tools 19 2. Snyk.io – Vulnerability DB:
- 20. Current dependency analysis tools 20 2. Snyk.io – Vulnerability DB:
- 21. Current dependency analysis tools 21 3. SourceClear - https://www.sourceclear.com/ Advantages: - one of the biggest vulnerability databases Disadvantage: - fully commercial 4. Vulas - https://github.com/SAP/vulnerability-assessment-tool Advantages: - open-source - precise code base matching algorithm Disadvantage: - they support only Java (Maven&Gradle) and partially Python
- 22. Current dependency analysis tools 22 5. PyUp (safety) - https://pyup.io/safety/ The tool for Python 6. NPM - https://docs.npmjs.com/cli/audit The tool for JavaScript Advantages: - native support of a dependency management system npm-audit
- 23. You will have such a report 23 What would you do? Ignore? Panic?
- 24. Observation 1 24 Some dependencies are non deployed, hence such vulnerabilities cannot be exploited 𝑚1:compile 𝑚2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑦1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑥1: 𝑡𝑒𝑠𝑡 𝑦2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑢1: 𝑡𝑒𝑠𝑡 𝑧1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒
- 25. Observation 2 25 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 Direct ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Transitive
- 26. Observation 2 26 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Own In direct control Out of direct control
- 27. Observation 3 27 𝑚1 𝑥1 𝑢1 𝑣1 𝑣1 𝑣2 𝑡0 Some libraries may become halted
- 28. Observation 3 28 𝑚1 𝑥1 𝑢1 𝑣1 𝑣1 𝑣2 𝑡0 Some libraries may become halted Halted = no more updates
- 29. Observation 3 29 𝑚1 𝑥1 𝑢1 𝑣1 𝑣2 𝑣1 𝑣1 𝑣2 𝑣3 𝑡0 𝑡1 There would be no version of x1: 1) to fix vulnerability in x1 2) adopt fixed version of u1 Fixing such a dependency would require a software company either to contribute to the halted library (make a new release) or maintain an own copy of the library Some libraries may become halted Halted = no more updates Never will be adopted
- 30. Counting dependencies 30 Build dependency tree •Maven goals: dependency:tree and dependency:resolve Filter non-deployed dependencies •Exclude test and provided scopes Group dependencies by projects •Group all GAVs with the same groupId within one path and substitute them in the path with the GAV, closest to the vulnerable GAV Identify halted dependencies •𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 = 𝛼 𝑖=0 𝑛 { 1 − 𝛼 𝑖 ∗ 𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑡𝑖𝑚𝑒 𝑛−𝑖} •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 = 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 + 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 < 𝑇𝐼𝑀𝐸 ⇒ 𝐿𝑖𝑏𝑟𝑎𝑟𝑦 𝑖𝑠 ℎ𝑎𝑙𝑡𝑒𝑑 Map with known vulnerable GA •S. E. Ponta, H. Plate, and A. Sabetta. Beyond metadata: Code- centric and usage based analysis of known vulnerabilities in open- source software. In Proc. of ICSME-18, 2018
- 31. Effects Filtering non-deployed Dependency grouping “Is halted” analysis 31 20% less false alerts to check Developers may have fixed 82% of vulns in their dependencies (45% increase) 14% of dependencies are halted, hence would not be fixed
- 32. Following our approach you will have the following report 32 A bit more clear what to do, isn’t it?
- 33. We bring order to the dependency hell 33
- 34. An example of our report 34
- 35. 35 We are looking for your experience More details about our research are here: http://bit.ly/vuln-research-trento Contact me: E-mail: ivan.pashchenko@unitn.it Telegram: @riruk Web-site: http://disi.unitn.it/~pashchenko "Dependencies as you see it" (what the problems are, why people could, should, or won't update etc.). This can be a brief Skype/Hangout/etc interview at your convenience.