Unmasking CyberSecurity Vulnerabilities in Direct and Transitive OSS Dependencies

By: Sebastian A.
Year: 2024
School: Northwood High
Grade: 10
Science Teacher: Angie Oliveras

In today’s digital landscape, where open-source software (OSS) plays a pivotal role in powering everything from entertainment platforms to critical infrastructure, cybersecurity has become a pressing concern. The widespread use of OSS brings numerous benefits, including cost-effectiveness and collaborative development, but it also introduces vulnerabilities, often lurking within the dependencies of these software libraries. Recognizing this challenge, Sebastian embarked on a mission to fortify cybersecurity in the realm of OSS through his innovative project, SecureOSS.

Sebastian identified a crucial issue faced by software developers: the lack of awareness regarding vulnerable dependencies within OSS projects. These vulnerabilities, if left unaddressed, could serve as gateways for cybercriminals to exploit systems, potentially causing significant damage to both individuals and organizations. To tackle this problem, Sebastian devised a cybersecurity tool aimed at identifying and prioritizing vulnerabilities within OSS dependencies.

Sebastian came up with SecureOSS, a comprehensive solution designed to enhance the security posture of software projects by meticulously scanning for vulnerabilities in both direct and transitive dependencies. At the heart of SecureOSS lies a robust backend architecture that interacts with the National Vulnerability Database (NVD), a repository of cybersecurity vulnerabilities.

The journey begins with SecureOSS’s Dependency Parser, a module dedicated to scanning software projects and generating a Software Bill of Materials (SBOM) in CycloneDX format. This SBOM serves as a catalog, meticulously documenting the project’s direct dependencies and the dependencies of those dependencies, along with their respective versions.

Next comes the Concurrency Manager, a pivotal component that orchestrates parallel queries to the NVD API Interface. This parallel processing approach ensures efficient scanning of each identified dependency, significantly reducing the overall scanning time.

Sebastian’s project incorporates several key technological enhancements to elevate its capabilities. Multithreading plays a crucial role in expediting the scanning process by allowing multiple dependencies to be scanned simultaneously, resulting in a remarkable 75% reduction in average scanning time.

Moreover, Sebastian implemented API rate limits and caching mechanisms to enhance the tool’s stability and reliability. The Rate Limiter ensures adherence to NVD’s request policies, preventing overload and reducing the risk of API failures. Meanwhile, the Cache Manager stores frequently accessed data, minimizing the need for redundant API calls and reducing scanning times.

SecureOSS has demonstrated its effectiveness in identifying significant vulnerabilities, including high-profile issues like the Log4j vulnerability (CVE-2021-44228), with an impressive accuracy rate of 95% and a minimal error rate of 2%. Furthermore, Sebastian’s tool boasts a scanning time of just 30 milliseconds per 10 to 15 libraries, showcasing its efficiency and scalability.