In modern software supply chains, Software Bill of Materials(SBOM) based scanners can lead to Alert Fatigue. The Vulnerability Exploitability eXchange(VEX) standard involves a manual process for establishing justifications such as vulnerable_code_not_in_execute_path, which states that a component is not affected because the vulnerable code is not in the execution path. Automation of this process is limited due to Node.js’s complex module system. This study proposes an automated VEX generation and vulnerability prioritization framework based on an Inter-Module Symbol Graph constructed using the static analysis tool CodeQL. This graph goes beyond package dependencies, considers Node.js’s module resolution rules, and analyzes import and export information extracted from code to precisely track which component’s API symbol calls another component’s API symbol at the code level. The proposed system uses this graph to filter out vulnerabilities unreachable from the top-level application, reducing alerts by an average of 91.1% compared to existing Software Composition Analysis(SCA) tools. For the remaining actionable threats after filtering, structural metrics such as call depth and API utilization rate are analyzed to assess potential impact. Through this, the system automatically generates VEX documents and provides a prioritization model enabling developers and security teams to focus resources on specific threats amidst numerous alerts.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Automated VEX Generation and Vulnerability Prioritization Using Inter-Module Symbol Graphs

  • Jeongho Lee,
  • Seyoung Lee

摘要

In modern software supply chains, Software Bill of Materials(SBOM) based scanners can lead to Alert Fatigue. The Vulnerability Exploitability eXchange(VEX) standard involves a manual process for establishing justifications such as vulnerable_code_not_in_execute_path, which states that a component is not affected because the vulnerable code is not in the execution path. Automation of this process is limited due to Node.js’s complex module system. This study proposes an automated VEX generation and vulnerability prioritization framework based on an Inter-Module Symbol Graph constructed using the static analysis tool CodeQL. This graph goes beyond package dependencies, considers Node.js’s module resolution rules, and analyzes import and export information extracted from code to precisely track which component’s API symbol calls another component’s API symbol at the code level. The proposed system uses this graph to filter out vulnerabilities unreachable from the top-level application, reducing alerts by an average of 91.1% compared to existing Software Composition Analysis(SCA) tools. For the remaining actionable threats after filtering, structural metrics such as call depth and API utilization rate are analyzed to assess potential impact. Through this, the system automatically generates VEX documents and provides a prioritization model enabling developers and security teams to focus resources on specific threats amidst numerous alerts.