Bytecode-centric Detection of Known-to-be-vulnerable Dependencies in Java Projects

TL;DR

This paper introduces Jaralyzer, a bytecode-based Java dependency scanner that effectively detects vulnerabilities even in modified dependencies, outperforming existing tools in accuracy and robustness.

Contribution

The paper presents a novel bytecode-centric approach for vulnerability detection in Java dependencies, overcoming limitations of metadata-based scanners and handling dependency modifications.

Findings

Jaralyzer detects vulnerabilities in all types of dependency modifications.

It outperforms Eclipse Steady by detecting 28 more true vulnerabilities.

Jaralyzer reduces false warnings by 29 compared to state-of-the-art tools.

Abstract

On average, 71% of the code in typical Java projects comes from open-source software (OSS) dependencies, making OSS dependencies the dominant component of modern software code bases. This high degree of OSS reliance comes with a considerable security risk of adding known security vulnerabilities to a code base. To remedy this risk, researchers and companies have developed various dependency scanners, which try to identify inclusions of known-to-be-vulnerable OSS dependencies. However, there are still challenges that modern dependency scanners do not overcome, especially when it comes to dependency modifications, such as re-compilations, re-bundlings or re-packagings, which are common in the Java ecosystem. To overcome these challenges, we present Jaralyzer, a bytecode-centric dependency scanner for Java. Jaralyzer does not rely on the metadata or the source code of the included OSS dependencies being available but directly analyzes a dependency's bytecode. Our evaluation across 56 popular OSS components demonstrates that Jaralyzer outperforms other popular dependency scanners in detecting vulnerabilities within modified dependencies. It is the only scanner capable of identifying vulnerabilities across all the above mentioned types of modifications. But even when applied to unmodified dependencies, Jaralyzer outperforms the current state-of-the-art code-centric scanner Eclipse Steady by detecting 28 more true vulnerabilities and yielding 29 fewer false warnings.