| 面向Java语言生态的软件供应链安全分析技术 |
| |
| 引用本文: | 毛天宇,王星宇,常瑞,申文博,任奎.面向Java语言生态的软件供应链安全分析技术[J].软件学报,2023,34(6):2628-2640. |
| |
| 作者姓名: | 毛天宇 王星宇 常瑞 申文博 任奎 |
| |
| 作者单位: | 浙江大学 网络空间安全学院, 浙江 杭州 310058;浙江大学 杭州国际科创中心, 浙江 杭州 311200;浙江大学 软件学院, 浙江 宁波 310013;浙江大学 杭州国际科创中心, 浙江 杭州 311200;浙江大学 网络空间安全学院, 浙江 杭州 310058;浙江省区块链与网络空间治理重点实验室, 浙江 杭州 310027 |
| |
| 基金项目: | 国家重点研发计划(No. 2022YFE0113200)、浙江省重点研发计划项目(2022C01165). |
| |
| 摘 要: | 随着开源软件技术的不断发展,为提高开发效率并降低人力成本,组件化开发模式逐渐得到行业的认可,开发人员可以利用相关工具便捷地使用第三方组件,也可将自己开发的组件贡献给开发社区,从而形成了软件供应链.然而,这种开发模式必然会导致高危漏洞随组件之间的依赖链条扩散到其他组件或项目,从而造成漏洞影响的扩大化,例如2021年底披露的Log4j2漏洞,通过软件供应链对Java生态安全造成了巨大影响.当前针对Java语言软件供应链安全的分析与研究大多是对组件或项目进行抽样调研,这忽略了组件或项目对整个开源生态的影响,无法精准衡量其对生态所产生的影响.为此,本文针对Java语言生态软件供应链安全分析技术展开研究,首次给出了软件供应链安全领域的组件依赖关系和影响力等重要指标的形式化定义,并依据此提出了基于索引文件的增量式组件配置收集和基于POM语义的多核并行依赖解析,设计实现了Java开源生态组件依赖关系提取与解析框架,收集并提取超过880万个组件版本和6500万条依赖关系.在此基础上,本文以受到漏洞影响的日志库Log4j2为例,全面评估其对生态的影响以及修复比例,结果表明该漏洞影响了生态15.12%的组件(71082个)以及16.87%的组件版本(1488971个)同时仅有29.13%的组件在最新版本中进行了修复.
|
| 关 键 词: | 软件供应链 组件依赖关系 漏洞传播影响力 Log4j2 |
| 收稿时间: | 2022/9/5 0:00:00 |
| 修稿时间: | 2022/12/14 0:00:00 |
Software Supply Chain Analysis Techniques for Java Ecosystem |
| |
| MAO Tian-Yu,WANG Xing-Yu,CHANG Rui,SHEN Wen-Bo,REN Kui.Software Supply Chain Analysis Techniques for Java Ecosystem[J].Journal of Software,2023,34(6):2628-2640. |
| |
| Authors: | MAO Tian-Yu WANG Xing-Yu CHANG Rui SHEN Wen-Bo REN Kui |
| |
| Affiliation: | School of Cyber Science and Technology, Zhejiang University, Hangzhou 310058, China;ZJU-Hangzhou Global Scientific and Technological Innovation Center, Zhejiang University, Hangzhou 311200, China;College of Software Technology of Zhejiang University, Zhejiang University, Ningbo 310013, China;ZJU-Hangzhou Global Scientific and Technological Innovation Center, Zhejiang University, Hangzhou 311200, China;School of Cyber Science and Technology, Zhejiang University, Hangzhou 310058, China;Key Laboratory of Blockchain and Cyberspace Governance of Zhejiang Province, Zhejiang University, Hangzhou 310027, China |
| |
| Abstract: | With the prosperity of open-source software, almost all software companies use these reusable components as basic build blocks to build their software products, thus forming the software supply chain. The software supply chain improves development efficiency and reduces labor costs for software companies. However, it may also introduce new security problems. In particular, if one software component has high-risk vulnerabilities, the software supply chain inevitably spreads these vulnerabilities to all its dependencies, thus amplifying these vulnerabilities'' impact. For example, through the software supply chain, the Log4j2 vulnerability causes a catastrophic security issue for the whole Java ecosystem. Unfortunately, current research studies on Java software supply chain mainly focus on a single component or a group of components and misses the impact study on the ecosystem scale. Therefore, in this paper, we present the essential software supply analysis techniques to study the component and vulnerability impact on the Java ecosystem. More specifically, we first give the formal definition of component dependencies in the software supply chain. Next, we propose new techniques and build an analysis tool to analyze all component dependencies in the Java ecosystem, including over 8.8 million component versions and 65 million dependencies. Finally, we use Log4j2, a logging library affected by the vulnerability, as an example to evaluate its impact on the whole Java ecosystem. The results show that the vulnerability affects 15.12% of the ecological components (71082) and 16.87% of the component versions (1488971), and the vulnerability-fix rate is only 29.13%. |
| |
| Keywords: | software supply chain component dependencies vulnerability propagation impact Log4j2 |
|
| 点击此处可从《软件学报》浏览原始摘要信息 |
|
点击此处可从《软件学报》下载全文 |
|
