Security Risk Visualization for Open-Source Software based on Vulnerabilities, Repositories, and Dependencies.

Open-source software (OSS) has become a mainstream technology in recent years. However, its secure application requires a thorough understanding of the various security risks involved, e.g., vulnerability and developmental risks. Whenever a new vulnerability is identified in an OSS in use, the security administrator must update it. On the other hand, if an OSS is not under active development, an alternative OSS should be considered because newly identified vulnerabilities may not be fixed. Further, besides the OSSs directly in use, their dependencies must also be csonsidered. Thus, security administrators require a specialized method to analyze vulnerability and developmental risks of OSSs, considering their dependencies. For this purpose, a method is proposed in this study that identifies security risks in an OSS by extracting, linking, and visualizing its vulnerability, developmental, and dependency information using vulnerability databases and packaging management tools. Its performance and processing time are evaluated by applying it to the visualization of an OSS with additional vulnerability information and different scores representing development information.