Are Third-Party Libraries Secure? A Software Library Checker for Java']Java

Nowadays, there are many software libraries for different purposes that are used by various projects. An application is only as secure as its weakest component; thus if an imported library includes a certain vulnerability, an application could get insecure. Therefore a widespread search for existing security flaws within used libraries is necessary. Big databases like the National Vulnerability Database (NVD) comprise reported security incidents and can be utilized to determine whether a software library is secure or not. This classification is a very time-consuming and exhausting task. We have developed a tool-based automated approach for supporting developers in this complex task through heuristics embedded in an eclipse plugin. Documented vulnerabilities stored in databases will be taken into consideration for the security classification of libraries. Weaknesses do not always entail the same consequences; a scoring that identifies the criticality oriented on their potential consequences is applied. In this paper, a method for the enrichment of knowledge containing vulnerability databases is considered. Our approach is focussing on the scope of software weaknesses, which are library reasoned and documented in vulnerability databases. The Java Library Checker was implemented as eclipse plugin for supporting developers to make potential insecure third-party libraries visible to them.