Advisory: Vulnerability analysis in software development project dependencies

Abstract

Security has become a crucial factor in the development of software systems. The number of dependencies in software systems is becoming a source of countless bugs and vulnerabilities. In the past, the product line community has proposed several techniques and mechanisms to cope with the problems that arise when dealing with variability and dependency management in such systems. In this paper, we present Advisory, a solution that allows automated dependency analysis for vulnerabilities within software projects based on techniques from the product line community. Advisory first inspects software dependencies, then generates a dependency graph, to which security information about vulnerabilities is attributed and translated into a formal model, in this case, based on SMT. Finally, Advisory provides a set of analysis and reasoning operations on these models that allow extracting helpful information about the location of vulnerabilities of the project configuration space, as well as details for advising on the security risk of these projects and their possible configurations.