国家重点研发计划(2021YFB2701102); 国家自然科学基金(62141222, U20A20173); 中央高校基本科研专项资金(226-2022-00064)
随着现代软件规模不断扩大, 软件漏洞给计算机系统和软件的安全运行、可靠性造成了极大的威胁, 进而给人们的生产生活造成巨大的损失. 近年来, 随着开源软件的广泛使用, 其安全问题受到广泛关注. 漏洞感知技术可以有效地帮助开源软件用户在漏洞纰漏之前提前感知到漏洞的存在, 从而进行有效防御. 与传统软件的漏洞检测不同, 开源漏洞的透明性和协同性给开源软件的漏洞感知带来巨大的挑战. 因此, 有许多学者和从业人员提出多种技术从代码和开源社区中感知开源软件中潜在的漏洞和风险, 以尽早发现开源软件中的漏洞从而降低漏洞所带来的损失. 为了促进开源软件漏洞感知技术的发展, 对已有研究成果进行系统的梳理、总结和点评. 选取45篇开源漏洞感知技术的高水平论文, 将其分为3大类: 基于代码的漏洞感知技术、基于开源社区讨论的漏洞感知技术和基于软件补丁的漏洞感知技术, 并对其进行系统地梳理、归纳和总结. 值得注意的是, 根据近几年最新研究的总结, 首次提出基于开源软件漏洞生命周期的感知技术分类, 对已有的漏洞感知技术分类进行补充和完善. 最后, 探索该领域的挑战, 并对未来研究的方向进行展望.
As the modern software scale expands, software vulnerabilities bring a great threat to the security and reliability of computer systems and software, causing huge damage to people’s production and life. In recent years, as open source software (OSS) is widely used, the vulnerability issues of OSS have received much attention. Vulnerability awareness techniques can effectively help OSS users to identify vulnerabilities at the early stage for timely defense. Different from the vulnerability detection techniques for traditional software, the transparency and cooperativity of OSS vulnerabilities bring great challenges to vulnerability awareness. Therefore, various techniques are proposed by scholars and developers to perceive potential vulnerabilities and risks in OSS from the code and open source community, so as to find OSS vulnerabilities as early as possible and reduce the losses caused by the vulnerabilities. To boost the development of OSS vulnerability awareness techniques, this study conducts a systematic literature review of existing research works. The study selects 45 high-level papers on open source vulnerability awareness techniques, including code-based, open source community discussion-based, and patch-based vulnerability awareness techniques. The results of these papers are systematically summarized. Especially, this study proposes the category of techniques based on the OSS vulnerability life cycle for the first time according to the most recent publications, which supplements and improves the existing taxonomy of vulnerability awareness techniques. Finally, the study discusses the challenges in the field and predicts future research direction.