It is hard to imagine modern software projects without the use of open source software (OSS). In typical Java projects, an average of around 71% of the code comes from OSS dependencies, making them an essential component of today's software code bases. However, this strong dependence on OSS is associated with considerable security risks, as known vulnerabilities can be introduced into the code base in this way. To reduce this risk, numerous dependency scanners have been developed in both research and industry that aim to identify the use of known vulnerable OSS dependencies. However, these tools still face fundamental challenges as they are predominantly based on metadata or source code analyses. In particular, modifications to dependencies, such as recompiling, rebundling or renaming, which are widespread in the Java ecosystem, often cannot be reliably recognised by modern dependency scanners.
This is precisely where the Reaktor project, which is being carried out in cooperation with one of the world's leading software companies, SAP, comes in. The aim of the project is to improve the detection of modified OSS dependencies in Java applications in order to increase the effectiveness of existing dependency scanners and sustainably strengthen the security of software projects. To this end, methods are being developed that enable the identification of weak dependencies directly at bytecode level - the code representation in which dependencies are ultimately delivered and integrated into applications. Analysing at bytecode level is the only way to ensure reliable detection of vulnerabilities, as metadata may be incomplete, incorrect or completely missing.
Another central starting point of the Reaktor project is the reduction of false alarms. Although on average around 71% of the project code consists of OSS dependencies, in practice only around 12% of the code originating from third-party components is actually used. However, modern dependency scanners are usually unable to take into account the specific usage context of a dependency and therefore report numerous vulnerabilities, even if they only affect unused code parts. As part of the Reaktor project, additional methods are therefore being developed that include this context of use in the analysis. Reachability analyses are used to check whether potentially vulnerable code sections are actually accessible and therefore relevant for the application. In this way, false warning messages can be effectively reduced.
Further information can be found here.
