Reliable Bytecode-centric Detection of Vulnerable Open-Source Software Dependencies / Stefan Schott ; Advisors Prof. Dr. Eric Bodden, Dr. Serena Elisa Ponta. Paderborn, 2026
Inhalt
- Abstract
- Acknowledgments
- Contents
- 1 Introduction
- 2 Background
- 2.1 Dependency Management in Java
- 2.2 Dependency Modifications
- 2.3 Known Vulnerabilities
- 2.4 Dependency Scanners
- 2.5 Java Compilers and Bytecode
- 2.6 SootUp and Jimple
- 2.7 Code Property Graphs
- 3 Targeted Compilation
- 3.1 The Role of Compilation in Bytecode-centric Dependency Scanning
- 3.2 Targeted Compilation with Jess
- 3.3 Compilation Heuristic for Compiling Commit Changes
- 3.4 Evaluation
- 3.4.1 RQ1: How does Jess's compilation perform on popular and current Java projects?
- 3.4.2 RQ2: How similar is the bytecode obtained via Jess to the original bytecode?
- 3.4.3 RQ3: To what extent can Jess enable the successful compilation of fix-commit changes?
- 3.4.4 RQ4: To what extent can the compilation heuristic improve the success rate of compiling fix-commit changes?
- 3.5 Threats to Validity
- 3.6 Related Work
- 3.7 Conclusion
- 4 Bytecode Normalization
- 4.1 Study: Usage of different Compilers and Target Levels in Java Projects
- 4.2 Java Bytecode Normalization with jNorm
- 4.2.1 Investigation of Compilation Differences
- 4.2.2 Overview of jNorm
- 4.2.3 Jimple Transformation and Optimization
- 4.2.4 Compilation Difference Transformation
- 4.2.5 Standardization
- 4.3 Evaluation
- 4.3.1 Experimental Setup
- 4.3.2 RQ5: Does the vendor of the JDK compiler influence bytecode generation?
- 4.3.3 RQ6: How effective is jNorm in normalizing differences across JDK versions?
- 4.3.4 RQ7: How effective is jNorm in normalizing differences across Java target levels?
- 4.3.5 RQ8: How prevalent are the individual compilation difference transformations of jNorm?
- 4.4 Threats to Validity
- 4.5 Related Work
- 4.6 Conclusion
- 5 Bytecode-centric Dependency Scanning
- 5.1 Bytecode-centric Dependency Scanning with Jaralyzer
- 5.2 Evaluation
- 5.2.1 Experimental Setup
- 5.2.2 RQ9: How does Jaralyzer compare to state-of-the-art dependency scanners in identifying modified known-to-be-vulnerable dependencies?
- 5.2.3 RQ10: How does Jaralyzer compare to the state-of-the-art code-centric dependency scanner in identifying unmodified known-to-be-vulnerable dependencies?
- 5.2.4 RQ11: How runtime-efficient is Jaralyzer?
- 5.3 Threats to Validity
- 5.4 Related Work
- 5.5 Conclusion
- 6 Conclusion and Outlook
- Implementations and Data
- Bibliography
- Listings