AI- and Risk-based Vulnerability Management for Trustworthy Open Source Adoption (ARVOS)

Purpose and goal

Current vulnerability scanning tools perform static code analysis and produce a lot of false alerts. This leads to a “crying wolf” phenomenon, where even exploitable vulnerabilities get ignored. For example, a vulnerability might not be exploitable, because the application does not use a given function offered by a library. The goal of ARVOS was to make vulnerabilities more relevant through run-time detection. In essence, a vulnerability should only be reported as a threat, if the application actually makes use of vulnerable functionality.

Expected results and effects

We performed two user interviews with ARVOS. In essence, Java application developers got to use ARVOS themselves to fix an application vulnerability, with some help from the ARVOS team. The interviews validated that: (1) ARVOS is easy-to-use given its integration with GitHub and GitLab; (2) ARVOS is easy-to-understand, developers could immediately fix vulnerabilities in the application; (3) ARVOS performance overhead is acceptable. Based on the very promising results, we expect the cybersecurity landscape to move from static code analysis to runtime vulnerability scanning.

Planned approach and implementation

ARVOS consists of two main parts. First, the Debricked engine consumes git commits and produces an augmented CVE database, which specifies the vulnerable function. If this vulnerable function is not called, then the CVE is determined to be unexploitable. Second, the Elastisys ARVOS CI engine uses a technology called eBPF to monitor if the application makes use of any vulnerable function. We integrated ARVOS with both GitHub Actions and GitLab CI, two popular Continuous Integration (CI) tools.

External links

Blog post disseminating the main ARVOS findings (part of Deliverable D5.2) ARVOS open-source source code repository Example of dissemination of ARVOS on LinkedIn (part of Deliverable D5.2)