PKVIC: Supplement Missing Software Package Information in Security Vulnerability Reports

Abstract

Nowadays security vulnerability reports contain commercial vendor-centric information but fail to include accurate information of open-source software packages. Open-source ecosystems use package managers, such as Maven, NuGet, NPM, and Gem, to cover hundreds of thousands of free code packages. However, we uncover that vulnerability reports frequently miss the vulnerable software package information when the software package comes from open-source ecosystems. To fill in this gap, we propose a framework called PKVIC (software package vulnerability information calibration), as the first tool to automatically associate security vulnerability reports with affected software packages from different open-source ecosystems. Specifically, PKVIC designs an ecosystem classifier to determine which ecosystem a vulnerability report belongs to. From the reports written in natural language, PKVIC extracts the entities closely related to software names in ecosystems. To efficiently and accurately locate the affected software packages from millions of packages, we propose a recursive traversal method to generate the package identifier based on the naming scheme and candidate named entities. We implemented the prototype of PKVIC and conducted comprehensive experiments to validate its efficacy. In particular, we ran PKVIC over 421,808 vulnerability reports from 20 well-known sources of security vulnerabilities and identified 11,279 unique vulnerability reports that affected 2,703 open-source software packages. PKVIC successfully found the accurate reference URLs for these 2,703 software packages across 6 open-source ecosystems, including Pypi, Gem, NPM, Packagist, Nuget, and Maven.