Uncovering Hidden Inclusions of Vulnerable Dependencies in Real-World Java Projects

TL;DR

Unshade is a hybrid Java dependency scanner that combines metadata and code analysis to uncover hidden, modified dependencies with vulnerabilities, revealing that nearly half of popular projects contain such risks undetected by traditional methods.

Contribution

This paper introduces Unshade, a novel hybrid dependency scanning approach that detects modified and hidden dependencies in Java projects, improving security vulnerability detection.

Findings

Nearly 50% of analyzed projects have hidden vulnerable dependencies.

On average, each affected project has more than eight such dependencies.

Unshade identified 7,712 CVEs in hidden dependencies, missed by traditional scanners.

Abstract

Open-source software (OSS) dependencies are a dominant component of modern software code bases. Using proven and well-tested OSS components lets developers reduce development time and cost while improving quality. However, heavy reliance on open-source software also introduces significant security risks, including the incorporation of known vulnerabilities into the codebase. To mitigate these risks, metadata-based dependency scanners, which are lightweight and fast, and code-centric scanners, which enable the detection of modified dependencies hidden from metadata-based approaches, have been developed. In this paper, we present Unshade, a hybrid approach towards dependency scanning in Java that combines the efficiency of metadata-based scanning with the ability to detect modified dependencies of code-centric approaches. Unshade first augments a Java project's software bill of materials (SBOM) by identifying modified and hidden dependencies via a bytecode-based fingerprinting mechanism. This augmented SBOM is then passed to a metadata-based vulnerability scanner to identify known vulnerabilities in both declared and newly revealed dependencies. Leveraging Unshade's high scalability, we conducted a large-scale study of the 1,808 most popular open-source Java Maven projects on GitHub. The results show that nearly 50% of these projects contain at least one modified, hidden dependency associated with a known vulnerability. On average, each affected project includes more than eight such hidden vulnerable dependencies, all missed by traditional metadata-based scanners. Overall, Unshade identified 7,712 unique CVEs in hidden dependencies that would remain undetected when relying on metadata-based scanning alone.