AI- and Risk-based Vulnerability Management for Trustworthy Open Source Adoption (ARVOS)

Purpose and goal:

Current vulnerability scanning tools perform static code analysis and produce a lot of false alerts. This leads to a “crying wolf” phenomenon, where even exploitable vulnerabilities get ignored. For example, a vulnerability might not be exploitable, because the application does not use a given function offered by a library.

The goal of ARVOS was to make vulnerabilities more relevant through run-time detection. In essence, a vulnerability should only be reported as a threat, if the application actually makes use of vulnerable functionality. Expected results and effects:

We performed two user interviews with ARVOS. In essence, Java application developers got to use ARVOS themselves to fix an application vulnerability, with some help from the ARVOS team. The interviews validated that: (1) ARVOS is easy-to-use given its integration with GitHub and GitLab; (2) ARVOS is easy-to-understand, developers could immediately fix vulnerabilities in the application; (3) ARVOS performance overhead is acceptable.

Based on the very promising results, we expect the cybersecurity landscape to move from static code analysis to runtime vulnerability scanning. Approach and implementation:

ARVOS consists of two main parts. First, the Debricked engine consumes git commits and produces an augmented CVE database, which specifies the vulnerable function. If this vulnerable function is not called, then the CVE is determined to be unexploitable. Second, the Elastisys ARVOS CI engine uses a technology called eBPF to monitor if the application makes use of any vulnerable function. We integrated ARVOS with both GitHub Actions and GitLab CI, two popular Continuous Integration (CI) tools.