Description
The reliance on the National Vulnerability Database (NVD) as the singular reference for vulnerability information has revealed significant systemic risks, ranging from funding instability to increasing data backlogs. Consequently, dependency auditing tools that depend solely on this centralized model often suffer from data staleness and a tendency to overclaim vulnerabilities due to imprecise mapping. This thesis presents EVulCoF++, a comprehensive package analysis prototype designed to aggregate vulnerability and security advisory information and quantify the security posture of open source soft- ware packets by decoupling vulnerability matching from single points of failure and calculating metrics based on ecosystem data.
Addressing a significant gap in current literature, which predominantly focuses on ecosystems like NPM or Maven , this work provides a novel analysis of the Composer ecosystem by contrasting its fragmented, decentralized vulnerability communication against the centralized, system-level environment of Ubuntu. To bridge the dispari- ties between heterogeneous data sources—ranging from national databases like the CNVD and JVN to unstructured vendor advisories—the developed prototype utilizes a plugin-based aggregation architecture. A primary contribution of this research is the implementation of a hybrid enrichment pipeline that leverages both deterministic algorithms and Large Language Models (LLMs) to synthesize standardized software identifiers, such as Package-URLs (PURLs) and CPE strings. This approach facilitates the direct mapping of vague security advisories to specific packages, thereby reducing the reliance on transitive CVE links for vulnerability attribution. Beyond vulnerability matching, the tool implements a taxonomy of security posture metrics, distinguishing between Immediate Risk (known vulnerabilities) and Project Risk (long-term health signals like abandonment and maintainer overload). Evaluation of the prototype demonstrates that while the Composer ecosystem exhibits a higher prevalence of vulnerability communication flaws, algorithmic enrichment success- fully mitigates these gaps, increasing the detection of unique vulnerable versions by approximately 31%. Additionally, by isolating the system from NVD data, we demon- strated that roughly 14% of vulnerable versions could be identified solely through our enrichment strategy, independent of the central CVE system.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching