Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection
Pages 67 - 76
Abstract
The software supply chain (SSC) continues to face cybersecurity threats. To assist in securing SSCs, Software Bill of Materials (SBOM) has emerged as a pivotal technology. Despite the increasing use of SBOMs, the influence of SBOM generation on vulnerability detection was unaddressed. We created four corpora of SBOMs from 2,313 Docker images by varying SBOM generation tool (Syft, Trivy) and SBOM format (CycloneDX, SPDX). Using three common SBOM analysis tools (Trivy, Grype, CVE-bin-tool), we investigated how the reported vulnerabilities for the same software artifact varied when we changed only the SBOM generation tool and format. With the complex nature of SBOM generation and analysis, we expected some variation in reported vulnerabilities. However, we found high variability in vulnerability reporting attributed to SBOM generation. The variation in the quantity of vulnerabilities discovered in the same software artifact highlights the need for rigorous validation and enhancement of SBOM technologies to best secure SSCs.
References
[1]
Sonatype, 'The 2021 State of the Software Supply Chain Report.' [Online]. Available: https://www.sonatype.com/resources/state-of-the-software-supply-chain2021
[2]
Russ Cox. 2019. "Surviving Software Dependencies." Commun. ACM 62, 9 (September 2019), 36--43. https://doi.org/10.1145/3347446
[3]
Gkortzis, A., Feitosa, D., Spinellis, D., 2021. "Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities." J. Syst. Softw. 172, 110653.
[4]
Apache Log4j Security Vulnerabilities. (2021). Log4J. [Online]. Available: https: //logging.apache.org/log4j/2.x/security.html
[5]
R. Alkhadra, J. Abuzaid, M. AlShammari, and N. Mohammad, "Solar winds hack: In-depth analysis and countermeasures," in Proc. 12th Int. Conf. Comput. Commun. Netw. Technol. (ICCCNT), Jul. 2021, pp. 1--7
[6]
Anchore Inc. 'anchore/grype.' GitHub.com. [Online]. Available: https://github. com/anchore/grype(Accessed:Sep.142023).
[7]
Aqua Security Software Ltd. 'aquasecurity/trivy.' github.com [Online]. Available: https://github.com/aquasecurity/trivy (Accessed: Sep. 14, 2023).
[8]
NewYork-Presbyterian. 'nyph-infosec/daggerboard.' github.com [Online]. Available: https://github.com/nyph-infosec/daggerboard(Accessed:Sep.14,2023).
[9]
FOSSA. 'Audit-Grade Open Source Dependency Protection.' fossa.com [Online]. Available: https://fossa.com/ (Accessed: Sep. 14, 2023).
[10]
Söylemez M, Tekinerdogan B, Koluk'sa Tarhan A. "Challenges and Solution Directions of Microservice Architectures: A Systematic Literature Review." Applied Sciences. 2022; 12(11):5507. https://doi.org/10.3390/app12115507
[11]
Hemanth Gopal, Guanqun Song, Ting Zhu, "Security, Privacy and Challenges in Microservices Architecture and Cloud Computing- Survey," 2022. [Online]. Avaliable: https://doi.org/10.48550/arXiv.2212.14422
[12]
Vase, Tuomas. "Advantages of Docker." B.S. thesis, 2015. Accessed: Mar. 28, 2024. [Online]. Available: https://jyx.jyu.fi/handle/123456789/48029#
[13]
M. Balliu et al., "Challenges of Producing Software Bill of Materials for Java," in IEEE Security & Privacy, vol. 21, no. 6, pp. 12--23, Nov.-Dec. 2023.
[14]
Md Fazle Rabbi, Arifa Islam Champa, Costain Nachuma, and Minhaz Fahim Zibran. 2024. SBOM Generation Tools Under Microscope: A Focus on The npm Ecosystem. In Proceedings of the 39th ACM/SIGAPP Symposium on Applied Computing (SAC '24). Association for Computing Machinery, New York, NY, USA, 1233--1241. https://doi.org/10.1145/3605098.3635927
[15]
Reinhold A.M., Weber T., Lemak, C, Reimanis D., Izurieta C., "New Version, New Answer: Investigating Cybersecurity Static-Analysis Tool reported vulnerabilities," IEEE International Conference on Cybersecurity and Resilience, CSR 2023, Venice Italy, July 2023.
[16]
B. Xia, T. Bi, Z. Xing, Q. Lu, and L. Zhu, 'An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead,' in 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE), Melbourne, Australia: IEEE, May 2023, pp. 2630--2642.
[17]
Alrich, Tom. "Introduction to SBOM and VEX." 2024.
[18]
O'Donoghue, E., Reinhold, A. M., and Izurieta, C. (2024). Assessing Security Risks of Software Supply Chains Using Software Bill of Materials. In 2nd International Workshop on Mining Software Repositories for Privacy and Security. IEEE International Conference on Software Analysis, Evolution and Reengineering. [In-press]
[19]
R Core Team, R: A Language and Environment for Statistical Computing, R Foundation for Statistical Computing, Vienna, Austria, 2022. [Online]. Available: https://www.R-project.org.
[20]
Harris, C.R., Millman, K.J., van der Walt, S.J. et al. Array programming with NumPy. Nature 585, 357--362 (2020).
[21]
J. D. Hunter, "Matplotlib: A 2D Graphics Environment", Computing in Science & Engineering, vol. 9, no. 3, pp. 90--95, 2007.
[22]
Waskom, M. L., (2021). seaborn: statistical data visualization. Journal of Open Source Software, 6(60), 3021, https://doi.org/10.21105/joss.03021.
[23]
H. Wickham, ggplot2: Elegant Graphics for Data Analysis. Springer-Verlag New York, 2016. [Online]. Available: https://ggplot2.tidyverse.org.
[24]
S. Garnier, N. Ross, R. Rudis, A. P. Camargo, M. Sciaini, and C. Scherer, viridis - Colorblind-Friendly Color Maps for R, 2021, r package version 0.6.2. [Online]. Available: https://sjmgarnier.github.io/viridis/.
[25]
D. Rabosky, M. Grundler, C. Anderson, P. Title, J. Shi, J. Brown, H. Huang, and J. Larson, 'BAMMtools: an r package for the analysis of evolutionary dynamics on phylogenetic trees,' Methods in Ecology and Evolution, vol. 5, pp. 701--707, 2014.
[26]
P. Roberts. "Log4j is why you need a software bill of materials (SBOM)." Reversing Labs. Accessed: April 28th, 2024. [Online]. Available: https://www.reversinglabs. com/blog/log4j-is-why-you-need-an-sbom
[27]
L. Vaas. One Year After Log4Shell, Firms Still Struggle to Hunt Down Log4j. (2022). Constast Security. [Online]. Avaliable: https://www.constastsecurity.com/ security-influencers/one-year-after-log4shell-firms-still-struggle-to-huntdown-log4j
[28]
Lee, D., 'Alternatives to P value: confidence interval and effect size.' Korean journal of anesthesiology vol. 69,6 (2016): 555--562.
[29]
Cohen, J. (1988). Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, NJ: Lawrence Earlbaum Associates
[30]
T. D. Cook, D. T. Campbell, and A. Day. 1979. Quasiexperimentation: Design & Analysis Issues for Field Settings. Houghton Mifflin, Boston, MA
[31]
D. T. Campbell, J. C. Stanley, and N. L. Gage. 1963. Experimental and Quasiexperimental Designs for Research. Houghton Mifflin, Boston, MA.
[32]
Cahit KAYA., "Internal validity: A must in research designs.", Educational Research and Reviews 10, no. 2 (2015): 111--118
Index Terms
- Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection
Recommendations
Research on Vulnerability Detection Technology for WEB Mail System
Recently, the Email system is seriously threatened by the vulnerability attack, and XSS vulnerability is one of the most serious vulnerability of WEB mail system. In this paper, we proposed a crossing site script injection vulnerability detection method ...
Automated Software Vulnerability Detection in Statement Level using Vulnerability Reports
EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software EngineeringSoftware vulnerabilities are flaws in a product that compromise system security. In large software systems, developers struggle to find particular vulnerable statements from vulnerable functions when new vulnerabilities arise. Existing research ...
Automatic vulnerability detection for weakness visualization and advisory creation
SIN '15: Proceedings of the 8th International Conference on Security of Information and NetworksThe detection of vulnerabilities in computer systems and computer networks as well as the representation of the results are crucial problems. The presented method tackles the problem with an automated detection and an intuitive representation. For ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2024
83 pages
ISBN:9798400712401
DOI:10.1145/3689944
- General Chair:
- Santiago Torres-Arias,
- Program Chairs:
- Lorenzo De Carli,
- Yuchen Zhang
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- U.S. Department of Homeland Security Science and Technology Directorate
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 19 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in