Forecasting the risk of software choices: A model to foretell security vulnerabilities from library dependencies and source code evolution

TL;DR

This paper presents a lightweight, formal model for forecasting future security vulnerabilities in software projects by analyzing library dependencies and source code evolution, aiding proactive risk management.

Contribution

It introduces a novel vulnerability forecasting model at the library level that combines source code evolution and dependency analysis for project-specific risk estimation.

Findings

Successfully modeled CVE occurrence probabilities for Java libraries.

Demonstrated model's utility in identifying security-sensitive points.

Open-sourced implementation with experiments on 1255 CVEs and 768 libraries.

Abstract

Software security mainly studies vulnerability detection: is my code vulnerable today? This hinders risk estimation, so new approaches are emerging to forecast the occurrence of future vulnerabilities. While useful, these approaches are coarse-grained and hard to employ for project-specific technical decisions. We introduce a model capable of vulnerability forecasting at library level. Formalising source-code evolution in time together with library dependency, our model can estimate the probability that a software project faces a CVE disclosure in a future time window. Our approach is white-box and lightweight, which we demonstrate via experiments involving 1255 CVEs and 768 Java libraries, made public as an open-source artifact. Besides probabilities estimation, e.g. to plan software updates, this formal model can be used to detect security-sensitive points in a project, or measure the health of a development ecosystem.