As part of my research, I am looking at the detection and prioritization of vulnerable dependencies, i.e. VDs (open source libraries with known vulnerabilities). Recently, we wrote a paper where we compared 10 existing VD detection tools. For this comparison, we used
openmrs-distro-referenceaapplication 2.10.0. The studied tools include OWASP Dependency-check, Snyk, npm audit and some commercial tools as well. We have just submitted the paper to a conference and is now awaiting peer-review. I am attaching the draft here for referencevulndep_tool_comparison.pdf (292.5 KB). I will appreciate any feedback on the paper.
To summarize the paper with relevance to this community, tools found many dependencies with known vulnerabilities in the latest release of OpenMRS reference application. Although we found different tools may inflate or deflate results with false positives/negatives, many VD alerts were detected by multiple tools as well. As an example, Snyk found 96 unique Maven dependencies with 189 known vulnerabilities among all 44 projects of the distribution.
Based on our study, I had some questions:
- Does OpenMRS use any tool to monitor vulnerable dependencies?
- Does OpenMRS have any policy or guidelines on how to address the vulnerable dependencies? I am guessing it may be necessary to assess the risk of these vulnerabilities from the context of OpenMRS and prioritize fixes if necessary.
- While setting up OpenMRS, it asks permission if it can collect diagnostic/error reports. Is there any such database of error reports of OpenMRS that is publicly accessible? I am asking this because one of our future research ideas is to look into crash logs of an application to determine which dependencies appear on the stack traces which may be an indicator of how close a dependency is to the application’s attack surface. If OpenMRS has such crash logs or error reports that gives stack traces from real-world application use, it will be greatly helpful for our research.
I am tagging @f4ww4z and @teleivo based on this and this post. Also tagging @isears. Sorry for unsolicited tagging, but It’ll be greatly helpful if you can help me on my queries or guide me to the right direction.
Finally, I would appreciate any feedback or research suggestions on the draft paper I’ve attached here. Although the paper is long, the study uses OpenMRS as case study and I believe should be interesting to this community.