Description
Effective vulnerability management is indispensable for security in today’s diverse and
decentralized software ecosystems. This thesis addresses critical challenges in vulnerability
communication flows by developing EVulCoF, a comprehensive framework for
consolidating, enhancing, and operationalizing vulnerability intelligence. The research
examines the systematic mapping of vulnerabilities documented in databases such as
CVE and OSV to affected software packages and versions, revealing significant gaps
and inconsistencies in current practices.
By integrating multiple authoritative data sources, including VulnCheck’s NVD++,
OSV, VulnCheck’s KEV catalog, and CSAF, the study establishes a unified graph-based
knowledge repository that enables complex relationship modeling and sophisticated
vulnerability analytics. The framework implements automated equivalence mapping
techniques leveraging standardized identifiers (CPE, pURL) alongside AI-driven algorithms
to overcome discrepancies in product naming and versioning schemes. Performance
evaluation demonstrates that the system efficiently processes over 560,000
vulnerability entries while enabling millisecond-level query response times for complex
vulnerability analysis.
The research reveals substantial variability in repository-specific advisory practices
and highlights the effectiveness of structured formats like CSAF for enhanced standardization.
By modeling vulnerability data as a property graph in Neo4j, EVulCoF
provides unprecedented capabilities for identifying vulnerability patterns, tracking
affected product relationships, and enabling sophisticated security intelligence workflows.
The thesis concludes by identifying promising directions for future advancement,
including enhanced AI-driven intelligence and advanced search capabilities, ultimately
contributing to more effective vulnerability management practices across software
supply chains.
Keywords: Vulnerability Intelligence, CVE, OSV, Knowledge Graph, Neo4j, CSAF
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching