Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Eclipse Foundation Proposes Vulnerability Assessment Tool

Eclipse Foundation Proposes Vulnerability Assessment Tool

Leia em Português

This item in japanese

The Eclipse Foundation has a proposal to incorporate a Vulnerability Assessment Tool that helps developers identify which of their software dependencies contain known security issues from the Common Vulnerabilities and Exposure (CVE) database.

The tool assists teams in identifying otherwise harmful violations of OWASP's "A9-Using Components with Known Vulnerabilities" security issues. Without automated checks to monitor downstream libraries, many developers do not know when to upgrade components and may continue using libraries with known automated exploits, which can lead to system compromise and breaches. The most prominent case of vulnerable components was the Equifax breach from 2017 that lead to an exposure of 143 million private records, $600 million in losses, and a four month prison sentence for former CIO Jun Ying. Ying was convicted and fined for insider trading, using his knowledge of the breach to sell shares before other investors would find out.

The Vulnerability Assessment Tool was open-sourced by SAP in January 2019, with support for Java and Python. It operates in the same industry space as other Software Composition Analysis (SCA) tools that monitor for known CVEs. A similar feature is available for software projects that use GitHub, following Microsoft's acquisition of Dependabot. Similar to the Vulnerability Assessment Tool, GitHub will identify libraries with known CVEs and will go even further to submit pull requests that upgrade the offending library.

Although scanning for CVEs will improve security by patching vulnerable components, some risk will remain. By basing scans on library and version numbers, tools are unable to determine with versions are misreported or not what they claim. In May 2019, Docker provided a default version of OpenJDK that used a version number indicating a level of security, but this OpenJDK did not contain the security fixes. In 2017, the Eclipse marketplace for IDE plugins provided a popular plugin that showed open source code but ran a different codebase with adware. In each case, the CVE database did not apply because the actual running code was different. The OpenJDK docker issue was resolved through community collaboration, and the Eclipse Foundation took action to remedy the misleading plugin.

Software Composition Analysis also analyzes each component in isolation, unaware of how they work together. For example, tools would not report on cases where two libraries that were free of security issues were used together in a way that created them. Many Java applications, such as WebLogic, expose this type of vulnerability by using Java deserialization on untrusted data. Another feature is usage of MLets, which load and execute management code from URLs.

Participants in the overall Eclipse communities can participate in discussions around the Vulnerability Analysis Tool while it is in its proposal stage.

Rate this Article