CVMan: A Framework for Clone-Incurred Vulnerability Management-Reference-Cited by-同舟云学术

CVMan: A Framework for Clone-Incurred Vulnerability Management

Published:2023-04-14 Issue:8 Volume:13 Page:4948
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Shi Jian¹^ORCID,Zou Deqing¹,Xu Shouhuai²,Jin Hai³^ORCID

Affiliation:

1. National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China

2. College of Engineering and Applied Science, University of Colorado Colorado Springs, Colorado Springs, CO 80918, USA

3. National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China

Abstract

Software clones may cause vulnerability proliferation, which highlights the importance of investigating clone-incurred vulnerabilities. In this paper, we propose a framework for automatically managing clone-incurred vulnerabilities. Two innovations of the framework are the notion of the spatial clone-relation graph, which describes clone-based relationships between software programs, and the temporal clone-relation graph, which describes the evolution of clones in software over time. As a case study, we apply the framework to analyze eight versions of Ubuntu while drawing a number of insights, such as: (i) clones are prevalent with about one-sixth of the codebase being clones; (ii) intra-program clones are often attributed to polymorphisms or functional similarities between procedures, while inter-program clones are often attributed to shared code repositories and the reuse of libraries; (iii) the clone surface of Linux remains stable at around 0.6, meaning that spatial and temporal clones in Linux account for about 60% of the codebase, while the lifetime of 53% clones spans eight versions; and (iv) the clone-incurred vulnerability surface in Linux is small, while vulnerable clones and non-vulnerable clones have similar lifetimes.

Funder

National Natural Science Foundation of China

NSF Grants

Colorado State Bill

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/8/4948/pdf

Reference54 articles.

1. Sonatype (2022). 2022 Open Source Security and Risk Analysis Report, Sonatype. Technical Report.

2. A quantitative benefit evaluation of code search platform for enterprises;Shi;Sci. China Inf. Sci.,2020

3. DéjàVu: A map of code duplicates on GitHub;Lopes;Proc. ACM Program. Lang.,2017

4. Python Software Foundation (2023, February 27). PyPI · The Python Package Index. Available online: https://pypi.org/.

5. Ruby Community (2023, February 27). RubyGems.org. Available online: https://rubygems.org/.