Prioritizing Open Source Vulnerabilities: Is Reachability Useful?

Effective vulnerability management is a major task for development teams, and knowing what problems to prioritize can save unnecessary re-work. In the Software Composition Analysis (SCA) community, a hotly-debated approach to prioritization is vulnerability reachability, also known as “call flow.” Today, we take a look at why vendors argue for or against analysis of reachability.

Article contents

1. Requirements
2. What is the right solution?
3. What if I have to pick between data quality or prioritization?
4. Conclusion: Aim for Better Data

First, there are the minimum requirements to estimate static reachability:

• Static analysis of program behavior

• Specific vulnerability signatures

Static analysis without vulnerability signatures won’t help you find Common Vulnerabilities and Exposures (CVEs) in third-party code. Signatures without precise static analysis will result in inaccurate and misleading prioritization guidance.

Also, since no developer or security expert wants to wait anywhere from 30 minutes to several hours after a source code change to find out something is vulnerable, speed is also a consideration. Our full requirements list is therefore:

1. Accurate vulnerable method signatures

2. Precise static analysis

3. Efficient (fast) analysis

Let’s dig into what is required to achieve (or not achieve) each.

Requirements

1. Accurate vulnerable method signatures

This is the cornerstone of vulnerable method detection. Without research on the source code to determine the specific vulnerable method, accurate results are impossible. Further, no public database specifies the method call or configuration settings that enable the vulnerability.

Getting accurate signatures requires:

1. The fix commit: This is the source code that was changed in order to correct the vulnerability. This identifies the method(s) that must be called in non-fixed versions to exploit the vulnerability.

2. The introduction commit: This is the source code that introduced the vulnerability. In many cases, a disclosure will incorrectly say that it applies to all previous versions, including those older (Read more...)