LUP Student Papers

Improving Vulnerability Assessment through Multiple Vulnerability Sources

• Mark

Abstract

Finding vulnerabilities in open source code is getting more important with the increasing use of open source. The National Vulnerability Database (NVD) provides a database for public vulnerabilities, or CVEs (Common Vulnerabilities and Exposures), which is a standard for identifying vulnerabilities. NVD is the most common used source for vulnerabilities but there exists other vulnerability sources that often are for specific programming languages or package managers. The package manager Node Package Manager (NPM) has its own vulnerability database, or security advisory as you also can call it. Many of the vulnerabilities on the NPM security advisory overlap with the CVEs on NVD, but there are vulnerabilities that do not exist on NVD, and... (More)

Finding vulnerabilities in open source code is getting more important with the increasing use of open source. The National Vulnerability Database (NVD) provides a database for public vulnerabilities, or CVEs (Common Vulnerabilities and Exposures), which is a standard for identifying vulnerabilities. NVD is the most common used source for vulnerabilities but there exists other vulnerability sources that often are for specific programming languages or package managers. The package manager Node Package Manager (NPM) has its own vulnerability database, or security advisory as you also can call it. Many of the vulnerabilities on the NPM security advisory overlap with the CVEs on NVD, but there are vulnerabilities that do not exist on NVD, and vice versa. In this thesis I will do a comparison of NVD and the NPM security advisory by looking at the vulnerabilities that overlap and see what information that differ, and also see how many vulnerabilities that only exist on one of the sources. The mapping of the vulnerabilities will be done by looking at their third-party references, and if they have common references they can be mapped to each other. It will also be investigated if vulnerabilities are published earlier on one of the sources. The goal is to find if it is best to use NVD in combination with the NPM security advisory. (Less)

Popular Abstract

Vulnerabilities in open source code is among the top 10 of the most seen web application security risks. The usage of open source is increasing and therefore it is getting more important to find vulnerabilities. To find vulnerabilities in open source code one can use public sources like the National Vulnerability Database (NVD) and manually find vulnerabilities there and then update the affected open source components. There also exists automatic tools that can find vulnerabilities for you, for example the package manager Node Package Manager (NPM) has a terminal command for this, npm audit. This command gives a report of all the known vulnerabilities in your used NPM packages. NVD makes it possible to create similar tools by using their... (More)

Vulnerabilities in open source code is among the top 10 of the most seen web application security risks. The usage of open source is increasing and therefore it is getting more important to find vulnerabilities. To find vulnerabilities in open source code one can use public sources like the National Vulnerability Database (NVD) and manually find vulnerabilities there and then update the affected open source components. There also exists automatic tools that can find vulnerabilities for you, for example the package manager Node Package Manager (NPM) has a terminal command for this, npm audit. This command gives a report of all the known vulnerabilities in your used NPM packages. NVD makes it possible to create similar tools by using their data feeds or API for fetching the vulnerabilities. NPM has their own source for vulnerabilities which is called the NPM security advisory. There are vulnerabilities that exist on both NVD and the NPM security advisory, but it is not always clear that they are the same vulnerability. It is also possible for vulnerabilities to only exist on one of the sources. The information available for the vulnerabilities that overlap can differ, and it might be a good idea to use both NVD and the NPM security advisory in combination with each other in order to find as much information as possible, and to find other vulnerabilities that only exist on one of the sources. Vulnerabilities on NVD and the NPM security advisory can be mapped to each other by looking at their third-party references, if they have a common reference they can be mapped to each other. An investigation of how many vulnerabilities from NVD and NPM could be mapped to each other was made. Then a comparison of the mapped vulnerabilities was done to see which important information that differ.We fetched 691 vulnerabilities affecting node.js from NVD and 990 advisories from NPM and it was found that 50,5% of the CVEs could be mapped to 35,6% of the advisories. It was also found that there exists critical vulnerabilities on only one of the sources, 9,6% of the CVEs were critical and could not be mapped to an advisory. 6,7% of the advisories were critical and could not be mapped to a CVE. For the mapped advisories it was found that the rating is not always the same and there exists critical vulnerabilities where the vulnerability from the other source has a much lower rating. We also looked at the published dates and the result was that 81,3% of the mapped advisories was published earlier than its mapped CVE. The biggest published date difference found between mapped vulnerabilities was 6 years, where the vulnerability was published on NPM first. (Less)