A team of researchers at North Carolina State University has developed a tool to streamline the process of analyzing open source software updates. VFCFinder enables programmers to pinpoint which sections of code were modified to address security vulnerabilities, improving the security of software supply chains.

Despite the prevalence of open source, it isn’t always easy to know about vulnerabilities or their fixes. The lack of specificity can lead to complications for developers who use code libraries (which is just about everyone).

VFCFinder addresses this challenge by accurately identifying the specific code changes responsible for fixing vulnerabilities. By analyzing commit histories, VFCFinder can pinpoint the most likely commits associated with vulnerability fixes with sufficient accuracy. That streamlines the decision-making process for programmers who are loathe to touch working code but also want optimal application security.

Improving Software Supply Chain Security

The CISA, the government’s top cybersecurity agency, is moving to ensure open source software is more secure. There’s good reason for this: A March report from Synopsys found that nearly three-quarters (74%) of the 1,067 commercial codebases scanned contain open source components that were impacted by high-risk vulnerabilities.

Certainly, most software projects rely on open source libraries or components. “When these dependencies have a security advisory, the project maintainer needs to determine if they need to update to the fixed version,” said William Enck, Professor of Computer Science and director of the Secure Computing Institute at NC State.

This results in a tradeoff: update to ensure the vulnerability is addressed versus risking breaking the project due to an unexpected change in the dependency.

“Making this decision requires more information,” Enck said. “Is the vulnerable part of the old version of the dependency actually used?”

“We imagine VFCFinder either being used as part of the announcement process, or by software supply chain security firms seeking to enrich existing vulnerability data for use in automated tools that help end developers and project maintainers,” said Enck.

Triage Vulnerabilities in Code Dependencies

The research team, which includes Trevor Dunlap, a Ph.D. student at NC State, began with the goal of helping developers and project maintainers better triage notifications of vulnerabilities in their dependencies. “However, we quickly found that there wasn’t sufficient information to deeply study the problem,” Enck said. “We decided to build a tool to solve that problem first. We are now using VFCFinder as part of our ongoing research with our original goal.”

Most security advisories do not have accompanying “patch links,” or URLs that point to the source code commit that fixes the vulnerability, also known as a Vulnerability Fixing Commits (VFC), Enck pointed out. If the VFC is known, then either a human or an automated tool (using something like reachability analysis) can help determine if the vulnerability part of the old version of the dependency is used.

“This is where VFCFinder comes in,” Enck said.

Given a security advisory, the list of versions of the package where the vulnerability is fixed, and the link to the source code, VFCFinder provides a ranked list of the potential top five possible software commits that correspond to the security advisory.

“We found that VFCFinder places the VFC in the top five nearly 97% of the time, and it places the VFC as the top-ranked VFC over 80% of the time,” Enck said. “This list drastically reduces the manual effort of identifying VFCs.”

Making the Model Open Source

Without references to the affected vulnerable code, it is nearly impossible to determine if a given software project is using the affected part, Enck explained. The only option is to update every dependency with a vulnerability. That takes significant manual time because the development team has to test that the library updates do not break the software. Or it adds the risk that an update will break the software in an uncommon scenario.

“We have made VFCFinder and its machine learning models open source,” Enck said.

The team is currently spreading the word to encourage software supply chain security firms and maintainers of vulnerability databases to use VFCFinder to enrich vulnerability information and to contribute that information back into open databases. “Once security advisories commonly have patch links to VFCs, we can build better tools to ease the developer and project maintainer burden when dealing with vulnerabilities in open source software dependencies,” Enck said.

Photo credit: Philipp Katzenberger on Unsplash