Content deleted Content added
Citation bot (talk | contribs) Alter: title, template type. Add: chapter-url, chapter. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | #UCB_CommandLine |
Citation bot (talk | contribs) Alter: title, template type, url. URLs might have been anonymized. Add: chapter-url, chapter. Removed or converted URL. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Headbomb | Linked from Wikipedia:WikiProject_Academic_Journals/Journals_cited_by_Wikipedia/Sandbox3 | #UCB_webform_linked 1909/2306 |
||
Line 40:
However, using [[open-source software]] introduces many risks for the software applications being developed. These risks can be organized into 5 categories:<ref>
{{Cite
|last1=Duc Linh|first1=Nguyen
|last2=Duy Hung|first2=Phan
|last3=Dipe|first3=Vu Thu
|
|date=2019
▲|title= Risk Management in Projects Based on Open-Source Software
▲|journal=Proceedings of the 2019 8th International Conference on Software and Computer Applications
|pages= 178–183
|doi=10.1145/3316615.3316648
|isbn=9781450365734
|s2cid=153314145
|chapter-url=https://dl.acm.org/doi/pdf/10.1145/3316615.3316648
}}</ref>
* OSS Version Control: risks of changes introduced by new versions
Line 122:
* The engine identifies the OSS components and their versions and usually store this information in a database creating a catalog of OSS in use in the scanned application.
* This catalog is then compared to databases referencing known security vulnerabilities for each component, the licensing requirements for using the component, and the historical versions of the component.<ref>{{Cite web|url=https://insights.sei.cmu.edu/blog/10-types-of-application-security-testing-tools-when-and-how-to-use-them/|title=10 Types of Application Security Testing Tools: When and How to Use Them|date=8 July 2018 }}</ref> For security vulnerability detection, this comparison is typically made against known security vulnerabilities (CVEs) that are tracked in the [[National Vulnerability Database]] (NVD). Some products use an additional proprietary database of vulnerabilities. For [[Legal_governance,_risk_management,_and_compliance#Legal_compliance|IP / Legal Compliance]], SCA products will extract and evaluate the type of licensing used for the OSS component.<ref>
{{Cite
|last1=Duan|first1=Ruian
|last2=Bijlani|first2=Ashish
Line 128:
|last4=Kim|first4=Taesoo
|last5=Lee|first5=Wenke
|
|chapter=Identifying Open-Source License Violation and 1-day Security Risk at Large Scale
|date=2017
▲|journal=Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security
|pages=2169–2185
|publisher=ACM
Line 136:
|isbn=9781450349468
|s2cid=7402387
|chapter-url=https://dl.acm.org/doi/pdf/10.1145/3133956.3134048
}}</ref> Versions of components are extracted from popular open source repositories such as [[GitHub]], [[Apache Maven|Maven]], [[Python Package Index|PyPi]], [[NuGet]], and many others.
* The results are then made available to end users using different digital formats. The content and format depend on the SCA product and may include guidance to evaluate and interpret the risk, and recommendations especially when it concerns the legal requirements of open source components such as [[Copyleft#Strong_and_weak_copyleft|strong or weak copyleft]] licensing. The output may also contain a [[Software supply chain|Software Bill of Materials]] (SBOM) detailing all the open source components and associated attributes used in a software application<ref>
Line 154:
Depending on the SCA product capabilities, it can be implemented directly within a developer's [[Integrated_development_environment|Integrated Development Environment]] (IDE) who uses and integrates OSS components, or it can be implemented as a dedicated step in the [[software quality control]] process.<ref>
{{Cite
|last1= Imtiaz|first1=Nasif
|last2=Thorn|first2=Seaver
|last3=Williams|first3=Laurie
|
|
|date=October 2021
▲|journal=Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
|pages=1–11
|publisher=ACM
Line 167:
|isbn=9781450386654
|s2cid=237346987
|chapter-url=https://dl.acm.org/doi/abs/10.1145/3475716.3475769
}}</ref><ref>
{{Cite book
Line 189:
Another common use case for SCA is for Technology [[Due diligence]]. Prior to a [[Mergers and acquisitions|Merger & Acquisition]] (M&A) transaction, [[Independent advisory firm|Advisory firms]] review the risks associated with the software of the target firm.<ref>
{{Cite
|last1=Serafini|first1=Daniele
|last2=Zacchiroli|first2=Stefano
|date=September 2022
▲|title= Efficient Prior Publication Identification for Open Source Code
▲|journal=Proceedings of the 18th International Symposium on Open Collaboration
|volume=4
|pages=1–8
Line 202:
|isbn=9781450398459
|s2cid=251018650
|chapter-url=https://dl.acm.org/doi/abs/10.1145/3555051.3555068
}}</ref>
== SCA Strengths ==
The automatic nature of SCA products is their primary strength. Developers don't have to manually do an extra work when using and integrating OSS components.<ref>
{{Cite
|last1=Chen|first1=Yang
|last2=Santosa|first2=Andrew E
|last3=Sharma|first3=Asankhaya
|last4=Lo|first4=David
|
|date=September 2020
▲|title= Automated identification of libraries from vulnerability data
▲|journal=Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Practice
|pages=90–99
|doi=10.1145/3377813.3381360
|isbn=9781450371230
|s2cid=211167417
|url=https://
|chapter-url=https://dl.acm.org/doi/pdf/10.1145/3377813.3381360
}}</ref> The automation also applies to indirect references to other OSS components within code and artifacts<ref>
{{Cite journal
Line 237 ⟶ 238:
Conversely, some key weaknesses of current SCA products may include:
* Complex and labor-intensive deployment that can take months to get fully operational <ref>
{{Cite
|last1=Rajapakse|first1=Roshan Namal
|last2=Zahedi|first2=Mansooreh
|last3=Babar|first3=Muhammad Ali
|
|
|date=2021
▲|title= An Empirical Analysis of Practitioners' Perspectives on Security Tool Integration into DevOps
▲|journal=Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
|pages=1–12
|doi=10.1145/3475716.3475776
Line 249 ⟶ 250:
|isbn=9781450386654
|s2cid=235731939
|chapter-url=https://dl.acm.org/doi/pdf/10.1145/3475716.3475776
}}</ref>
* Each product uses its own proprietary database of OSS components that can vary dramatically in terms of size and coverage <ref>
{{Cite
|last1=Imtiaz|first1=Nasif
|last2=Thorn|first2=Seaver
|last3=Williams|first3=Laurie
|
▲|
|date=2021
▲|title= A comparative study of vulnerability reporting by software composition analysis tools
▲|journal=Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)
|pages=1–11
|doi=10.1145/3475716.3475769
Line 264 ⟶ 265:
|isbn=9781450386654
|s2cid=237346987
|chapter-url=https://dl.acm.org/doi/pdf/10.1145/3475716.3475769
}}</ref>
* Limiting vulnerability data to reporting only on vulnerabilities officially reported in the NVD (which can be months after the vulnerability was originally discovered)<ref> {{Cite web|url=https://owasp.org/www-community/Component_Analysis|title=Component Analysis|website=owasp.org}}</ref>
* Lack of automated guidance on actions to take based on SCA reports and data<ref>
{{Cite
|last1=Foo|first1=Darius
|last2=Chua|first2=Hendy
Line 274 ⟶ 275:
|last4=Ang|first4=Ming Yi
|last5=Sharma|first5=Asankhaya
|
|date=2018
▲|title= Efficient static checking of library updates
▲|journal=Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering
|pages=791–796
|doi=10.1145/3236024.3275535
|isbn=9781450355735
|s2cid=53079466
|chapter-url=https://dl.acm.org/doi/pdf/10.1145/3236024.3275535
}}</ref>
* Lack of guidance on the legal requirements of OSS licenses that are detected <ref>
| |||