TY - GEN
T1 - CovSBOM
T2 - 35th IEEE International Symposium on Software Reliability Engineering, ISSRE 2024
AU - Zhao, Yunze
AU - Zhang, Yuchen
AU - Chacko, Dan
AU - Cappos, Justin
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - The widespread integration of open-source software into commercial codebases, government systems, and critical infrastructure presents significant security challenges, particularly due to the inclusion of vulnerable components. Software Bills of Materials (SBOMs) are crucial for tracking these components; however, they lack detailed insights into the actual utilization of each component, thereby limiting their effectiveness in vulnerability management. This paper introduces CovSBOM, a novel tool that integrates code coverage analysis into SBOMs to provide enhanced transparency and facilitate precise vulnerability detection. CovSBOM addresses the gap between current SBOM and security scanning tools by providing detailed insights into which parts of third-party libraries are actually being used, thereby reducing inefficiencies and the misallocation of developer resources caused by overemphasizing irrelevant vulnerabilities. Through a comprehensive evaluation of 23 large-scale applications, encompassing 1,614 dependencies and 145 vulnerability alerts, CovSBOM has demonstrated a significant reduction in false positives, accurately identifying 105 such instances. This improvement enhances the precision of vulnerability detection by approximately 72%, while effectively maintaining a reasonable level of scalability and usability.
AB - The widespread integration of open-source software into commercial codebases, government systems, and critical infrastructure presents significant security challenges, particularly due to the inclusion of vulnerable components. Software Bills of Materials (SBOMs) are crucial for tracking these components; however, they lack detailed insights into the actual utilization of each component, thereby limiting their effectiveness in vulnerability management. This paper introduces CovSBOM, a novel tool that integrates code coverage analysis into SBOMs to provide enhanced transparency and facilitate precise vulnerability detection. CovSBOM addresses the gap between current SBOM and security scanning tools by providing detailed insights into which parts of third-party libraries are actually being used, thereby reducing inefficiencies and the misallocation of developer resources caused by overemphasizing irrelevant vulnerabilities. Through a comprehensive evaluation of 23 large-scale applications, encompassing 1,614 dependencies and 145 vulnerability alerts, CovSBOM has demonstrated a significant reduction in false positives, accurately identifying 105 such instances. This improvement enhances the precision of vulnerability detection by approximately 72%, while effectively maintaining a reasonable level of scalability and usability.
KW - SBOMs
KW - Security
KW - Software Supply Chain
UR - http://www.scopus.com/inward/record.url?scp=85214576524&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85214576524&partnerID=8YFLogxK
U2 - 10.1109/ISSRE62328.2024.00031
DO - 10.1109/ISSRE62328.2024.00031
M3 - Conference contribution
AN - SCOPUS:85214576524
T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE
SP - 228
EP - 237
BT - Proceedings - 2024 IEEE 35th International Symposium on Software Reliability Engineering, ISSRE 2024
PB - IEEE Computer Society
Y2 - 28 October 2024 through 31 October 2024
ER -