Stefan Schott promovierte erfolgreich zum Thema “Reliable Bytecode-centric Detection of Vulnerable Open-Source Software Dependencies” bei Prof. Dr. Eric Bodden.
Zusammenfassung der Dissertation:
Open-source software (OSS) dominates modern Java development. On average, more than 70% of a project’s code comes from third-party dependencies. While this heavy reliance on OSS accelerates development, it also introduces significant security risks, as vulnerable dependencies are routinely included in production systems. Existing dependency scanners aim to mitigate this risk, but they largely rely on the availability of metadata or source code and therefore struggle when dependencies are modified through recompilation, rebundling, or repackaging. Such modifications are common in the Java ecosystem and often result in the obfuscation or complete removal of metadata.
In this talk, I present Jaralyzer, a bytecode-centric dependency scanner for Java that overcomes these limitations. Rather than relying on metadata or source code, Jaralyzer analyzes Java bytecode directly, enabling reliable vulnerability detection even in modified dependencies.
Jaralyzer is built on three core contributions. First, Jess, a targeted compilation technique that uses slicing and stubbing to compile only relevant parts of large Java projects, enabling the isolation and compilation of vulnerability-fixing code at scale. Second, jNorm, a novel bytecode normalization technique that removes compilation-induced differences and produces a compiler-independent bytecode representation. Third, a code property graph–based comparison approach that enables fine-grained matching between dependency bytecode and vulnerability-fixing code, even as the code evolves over time.
Our evaluation shows that Jess successfully compiles up to 90% of vulnerability-fixing commits, compared to less than 11% when using standard build scripts, and that jNorm removes 99% of compilation-induced bytecode differences. Finally, an evaluation on 56 popular open-source components demonstrates that Jaralyzer outperforms state-of-the-art dependency scanners and is the only approach that reliably detects known vulnerabilities in modified dependencies.
Together, these results show that bytecode-centric dependency scanning provides a practical and effective solution for reliable detection of vulnerable dependencies in Java projects.
