CD3T: Cross-Project Dependency Defect Detection Tool

doi:10.23940/ijpe.19.09.p5.23292337

Abstract

Abstract: Nowadays, every software project usually has a large number of third-party components depending on the repository, some of which have some unsafe code. Due to complex references and dependencies, code defects and vulnerabilities in upstream dependent libraries will inevitably affect downstream software. In this paper, we design a cross-project dependency defect detection system based on Java, called CD3T. The entire implementation process of CD3T uses Apache Maven as a project dependent package management tool and uses IntelliJ IDEA as an integrated basic environment for the development of coding, compilation, and packaging. The system uses a full-text search engine and H2 Database that supports the engine that formats and stores vulnerability data, and the Apache Velocity template engine drives report generation. Finally, it obtains and formats the data that stores the U.S. national common vulnerability database, file dependency analysis, file dependency vulnerability checking, and check result output.

Key words: cross-project, dependency, NVD, CVE

Yongming Yao, Song Huang, Cuiyi Feng, Chen Liu, and Chenying Xu. CD3T: Cross-Project Dependency Defect Detection Tool [J]. Int J Performability Eng, 2019, 15(9): 2329-2337.

Add to citation manager EndNote|Reference Manager|ProCite|BibTeX|RefWorks

References

1. M. Hüttermann, “DevOps for Developers,” Apress Berkely, 2012
2. C. Ebert, G. Gallardo, J. Hernantes,N. J. I. S. Serrano, “DevOps,” IEEE Software, Vol. 33, No. 3, pp. 94-100, 2016
3. F. Anjum, F. Caruso, R. Jain,P. Missier, “ChaiTime: A System for Rapid Creation of Portable Next-Generation Telephony Services using Third-Party Software Components,” in Proceedings of IEEE Second Conference on Open Architectures and Network Programming, March 1999
4. C. Ayala, X. Franch, R. Conradi, J. Li,D. Cruzes, “Developing Software with Open Source Software Components,” Finding Source Code on the Web for Remix and Reuse, Springer, New York, 2013
5. B. Klatt, Z. Durdik, H. Koziolek, K. Krogmann, J. Stammel,R. Weiss, “Identify Impacts of Evolving Third Party Components on Long-Living Software Systems,” inProceedings of European Conference on Software Maintenance and Reengineering, pp. 461-464, Szeged, Hungary, April 2012
6. W. Schwittek and S. Eicker, “A Study on Third Party Component Reuse in Java Enterprise Open Source Software,” inProceedings of International ACM Sigsoft Symposium on Component-based Software Engineering, pp. 75-80, Vancouver, British Columbia, Canada, June 2013
7. Y. Yao, Y. Yan, Z. Wang,C. Liu, “Design and Implementation of Combinatorial Testing Tools,” inProceedings of 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), pp. 320-325, Prague, Czech Republic, 2017
8. A. Mockus, “Large-Scale Code Reuse in Open Source Software,” inProceedings of First International Workshop on Emerging Trends in FLOSS Research and Development (FLOSS'07: ICSE Workshops 2007), pp. 7, Minneapolis, MN, USA, 2007
9. W. Ma, L. Chen, X. Zhang, Y. Zhou,B. Xu, “How Do Developers Fix Cross-Project Correlated Bugs? A Case Study on the GitHub Scientific Python Ecosystem,” inProceedings of 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), pp. 381-392, Buenos Aires, Argentina, 2017
10. E. Kalliamvakou, D. Damian, K. Blincoe, L. Singer,D. M. German, “Open Source-Style Collaborative Development Practices in Commercial Projects using GitHub,” inProceedings of 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, pp. 574-585, Florence, Italy, May 2015
11. Y. Wu, S. Huang,H. Ji, “An Information Flow-based Feature Selection Method for Cross-Project Defect Prediction,” International Journal of Performability Engineering, Vol. 14, No. 6, pp. 1263-1274, 2018
12. H. Ji, S. Huang, X. Lv, Y. Wu,Z. Hui, “A Two-Stage Feature Weighting Method for Naive Bayes and Its Application in Software Defect Prediction,” International Journal of Performability Engineering, Vol. 14, No. 7, pp. 1468-1480, 2018
13. Information Technology Laboratory, “NVD General Information,” (https://nvd.nist.gov/general/, accessed June 2019)
14. Information Technology Laboratory, “Security Content Automation Protocol,” (https://scap.nist.gov/, accessed June 2019)
15. CVE, “All CVE Documents,” ( https://cve.mitre.org/about/documents.html, accessed June 2019)
16. M. Rouse, “What is Common Weakness Enumeration (CWE)?”
(https://searchsecurity.techtarget.com/definition/Common-Weakness-Enumeration, accessed June 2019)
17. FIRST, “Common Vulnerability Scoring System v3.0: Specification Document,” (https://www.first.org/cvss/specification-document, , accessed June 2019)
18. A. V.Aho and R. Sethi, “Maintaining Cross References in Manuscripts,” Software Practice and Experience, Vol. 18, No. 1, pp. 1-13, January 1988
19. F. Wu, X. Y. Jing, X. W. Dong, J. C. Cao, M. W. Xu, H. Y. Zhang, et al., “Cross-Project and within-Project Semi-Supervised Software Defect Prediction Problems Study using a Unified Solution,” inProceedings of 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C), pp. 195-197, Buenos Aires, Argentina, May 2017
20. P. A. Habibi, V. Amrizal,R. B. Bahaweres, “Cross-Project Defect Prediction for Web Application using Naive Bayes (Case Study: Petstore Web Application),” inProceedings of 2018 International Workshop on Big Data and Information Security, pp. 13-18, Jakarta, Indonesia, May 2018
21. S. Huang, Y. Wu, H. Ji,C. Bai, “A Three-Stage Defect Prediction Model for Cross-Project Defect Prediction,” in Proceedings of 2017 International Conference on Dependable Systems and Their Applications, Beijing, China, November 2017
22. W. Zamojski, J. Kacprzyk, J. Mazurkiewicz, J. Sugier,T. Walkowiak, “Dependable Computer Systems,” Advances in Intelligent and Soft Computing, Vol. 97, pp. 415-422, 2011
23. L. A. B.Sanguino and R. Uetz, “Software Vulnerability Analysis using CPE and CVE,” arXiv: 1705.05347v1, May 2017