On the Security Blind Spots of Software Composition Analysis

Modern software heavily relies on the use of components. Those components are usually published in central repositories, and managed by build systems via dependencies. Due to issues around vulnerabilities, licenses and the propagation of bugs, the study of those dependencies is of utmost importance, and numerous software composition analysis tools have emerged to address those issues. A particular challenge are hidden dependencies that are the result of cloning or shading where code from a component is "inlined", and, in the case of shading, moved to different namespaces. We present an approach to detect cloned and shaded artifacts in the Maven repository. Our approach is lightweight in that it does not require the creation and maintenance of an index, and uses a custom AST-based clone detection. Our analysis focuses on the detection of vulnerabilities in artifacts which use cloning or shading. Starting with eight vulnerabilities with assigned CVEs (four of those classified as critical) and proof-of-vulnerability projects demonstrating the presence of a vulnerability in an artifact, we query the Maven repository and retrieve over 16k potential clones of the vulnerable artifacts. After running our analysis on this set, we detect 554 artifacts with the respective vulnerabilities (49 if versions are ignored). We synthesize a testable proof-of-vulnerability project for each of those. We demonstrate that existing SCA tools often miss these exposures.