开源软件漏洞库综述

信息安全研究 ›› 2021, Vol. 7 ›› Issue (6): 566-574.

开源软件漏洞库综述

贾培养1,2 孙鸿宇1,2 曹婉莹2 伍高飞1,2 王文杰2

1（西安电子科技大学网络与信息安全学院西安 710071）
2（中国科学院大学国家计算机网络入侵防范中心北京 101408）

出版日期:2021-06-10 发布日期:2021-06-10
通讯作者: 贾培养硕士研究生.主要研究方向为网络空间安全． jiapy@nipc.org.cn
作者简介:贾培养硕士研究生.主要研究方向为网络空间安全． jiapy@nipc.org.cn 孙鸿宇博士研究生．主要研究方向为信息安全与机器学习． sunhy@nipc.org.cn 曹婉莹博士研究生．主要研究方向为网络空间安全． caowy@nipc.org.cn 伍高飞博士，硕士生导师.主要研究方向为密码学. wugf@nipc.org.cn 王文杰，副教授. 主要研究方向为网络与信息系统安全． wangwj@gucas.ac.cn

Open Source Software Vulnerability DataBase Overview

Online:2021-06-10 Published:2021-06-10

摘要/Abstract

摘要： 近年来，随着软件开发周期的不断缩短，越来越多的软件开发者在其项目代码中使用大量的开源代码，软件开发者往往只关注自己负责部分的代码安全，几乎不关注项目采用的开源代码的安全性问题，开源软件的使用者很难将传统漏洞数据库中的漏洞条目对应到当前的软件版本中，现有的漏洞版本控制方案和开源代码的版本控制方案之间存在一定的差异，这使得开源代码使用者无法及时修复存在漏洞的代码，因此一个能够准确收集开源漏洞情报并对漏洞进行精确匹配的漏洞库是十分必要的．本文首先介绍了开源代码的广泛使用带来的潜在安全挑战，其次对现有开源漏洞库平台的情况进行了详细分析，同时对现有开源漏洞库从多个维度进行了对比研究，然后给出了当前开源漏洞库建设面临的问题和挑战，最后给出了建设开源漏洞数据库的一些建议．

关键词: 开源软件, 漏洞数据库, 版本控制, 开源漏洞情报, 开源漏洞库

Abstract: In recent years, with the continuous shortening of the software development cycle, a large number of open source code is used in modern software projects, and software developers tend to focus only on the security of the part of the project code they are responsible for, and rarely pay attention to the security of the open source code used in the project, and it is difficult for users to correspond the vulnerability entries in the traditional vulnerability repository to the current software version. and existing vulnerabilities There are some differences between existing version control schemes and those of open source code, so a vulnerability repository that can accurately collect open source code vulnerability intelligence and precisely match vulnerabilities is essential. This paper first introduces the potential security challenges brought by the widespread use of open source code, then analyzes in detail the existing open source vulnerability repository platforms and conducts a comparative study of existing open source vulnerability databases from several dimensions, then gives the problems and challenges faced by the construction of current open source vulnerability databases, and finally gives some suggestions for building open source vulnerability databases.

Key words: open source code, vulnerability database , version control , open source vulnerability intelligence, open source vulnerability database

贾培养孙鸿宇曹婉莹伍高飞王文杰. 开源软件漏洞库综述[J]. 信息安全研究, 2021, 7(6): 566-574.

参考文献

[1] Ohm M, Plate H, Sykosch A, et al. Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks[C]/Proc of /Int Conf on Detection of Intrusions and Malware, and Vulnerability Assessment. Cham:Springer, 2020: 23-43
[2] 李震宁, 刘莉, 孟杰. 开源软件商业化中面临的知识产权风险[J]. 网络空间安全, 2020, 9(8): 1
[3] OSV漏洞数据库 [EB/OL]. [2021-05-19]. https://osv.dev/
[4] OSS-Fuzz [EB/OL]. [2021-05-17]. https://github.com/google/oss-fuzz
[5] WhiteSource漏洞数据库[EB/OL]. [2021-05-20]. https://www.whitesourcesoftware.com/vulnerability-database/
[6] Snyk漏洞数据库[EB/OL]. [2021-05-20]. https://snyk.io/vuln
[7] Veracode漏洞数据库[EB/OL]. [2021-05-20]. https://www.sourceclear.com/vulnerability-database
[8] 郭雪, 孔松, 王皓月. 企业级开源风险及治理模式研究[J]. 信息通信技术与政策, 2020, 46(5): 45
[9] 孙鸿宇, 何远, 王基策, 等. 人工智能技术在安全漏洞领域的应用[J]. 通信学报, 2018, 39(8): 1-17
[10] 冯兆文, 刘振慧. 开源软件漏洞安全风险分析[J]. 保密科学技术, 2020
[11] 赵尚儒, 李学俊, 方越, 等. 安全漏洞自动利用综述[J]. 计算机研究与发展, 2019, 56(10): 2097
[12] Dong Y, Guo W, Chen Y, et al. Towards the detection of inconsistencies in public security vulnerability reports[C]//Proc of the 28th USENIX Security Symp. Berkeley, CA: USENIX Association, 2019: 869-885
[13] Decan A, Mens T, Grosjean P. An empirical comparison of dependency network evolution in seven software packaging ecosystems[J]. Empirical Software Engineering, 2019, 24(1): 381-416
[14] Ponta S E, Plate H, Sabetta A. Detection, assessment and mitigation of vulnerabilities in open source dependencies[J]. Empirical Software Engineering, 2020, 25(5): 3175-3215
[15] Vu D L, Pashchenko I, Massacci F, et al. Towards using source code databases to identify software supply chain attacks[C]//Proc of the 2020 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2020: 2093-2095.
[16] Rath M, Mäder P. Request for comments: conversation patterns in issue tracking systems of open-source projects[C]//Proc of the 35th Annual ACM Symp on Applied Computing. New York: ACM, 2020: 1414-1417.
[17] Campbell D, Cabrera-Diego L A, Korkontzelos Y. What is the message about? Automatic multi-label classification of open source repository messages into content types[C]//Proc of Joint European-US Workshop on Applications of Invariance in Computer Vision. Cham: Springer, 2020: 520-531