Infrastructure as Code (IaC) platforms lack mechanisms for detecting security smell diffusion, a challenge stemming from the absence of repository relationships. We present a similarity-based methodology combining content and structure metrics to identify repository clones. Validated against Ansible Galaxy repositories that have GitHub fork data, our approach achieved 99.6%–99.8% accuracy to detect forks. Analysis of Ansible Galaxy repositories across three popular technologies revealed 38.4%–54.1% share code overlap, creating vulnerability propagation pathways. Security analysis identified CWE-477 and CWE-546 as most prevalent, with CVE-2017-7550 (CVSS 9.8 - Critical) propagating from a popular repository version with 2.7 million downloads. Fork metadata absence causes users to download repositories with induced security smells at 100 \(\times \) higher rates than platforms with visible fork relationships. A survey of 24 IaC tools confirmed none provide cross-repository comparison capabilities, demonstrating a gap in repository relationship tracking within the IaC supply chain. Our work addresses this gap by providing a systematic approach to detect clones and track security diffusion in environments lacking fork metadata.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Tracking Security Smell Diffusion Patterns in Ansible Playbooks Using Metadata

  • Pandu Ranga Reddy Konala,
  • Vimal Kumar,
  • David Bainbridge,
  • Junaid Haseeb

摘要

Infrastructure as Code (IaC) platforms lack mechanisms for detecting security smell diffusion, a challenge stemming from the absence of repository relationships. We present a similarity-based methodology combining content and structure metrics to identify repository clones. Validated against Ansible Galaxy repositories that have GitHub fork data, our approach achieved 99.6%–99.8% accuracy to detect forks. Analysis of Ansible Galaxy repositories across three popular technologies revealed 38.4%–54.1% share code overlap, creating vulnerability propagation pathways. Security analysis identified CWE-477 and CWE-546 as most prevalent, with CVE-2017-7550 (CVSS 9.8 - Critical) propagating from a popular repository version with 2.7 million downloads. Fork metadata absence causes users to download repositories with induced security smells at 100 \(\times \) higher rates than platforms with visible fork relationships. A survey of 24 IaC tools confirmed none provide cross-repository comparison capabilities, demonstrating a gap in repository relationship tracking within the IaC supply chain. Our work addresses this gap by providing a systematic approach to detect clones and track security diffusion in environments lacking fork metadata.