Hybrid Reachability Analysis Using Static Graphs And Dynamic Execution Traces For Oss Vulnerabilities

Abstract

The extensive adoption of third-party libraries, along with the rapid detection of new vulnerabilities, compounds the security issues in the open-source software ecosystem. Although traditional static and dynamic analyses provide critical information about vulnerability reachability, they often end up having limited applicability due to false positives or lack of actual area coverage. This paper presents a new metric known as hybrid reachability analysis, which can be leveraged to improve the precision of risk impact assessments. The new approach integrates dynamic execution traces with static program graphs. The practical utility of this hybrid approach for improving accuracy, reducing false positives, and supporting reasonable priorities for vulnerabilities is also shown through experimentation. Furthermore, we present a tri-fold synthesis of the literature around existing studies of relevance to reachability analyses and hybrid approaches. We conclude by arguing that combining graph and trace data can foster future vulnerability management workflows, and a conceptual model is offered to show how hybrid analysis can advance more sustainable software development. Other limitations covered are scalability and runtime overhead, as well as promising future work such as distributed tracing, embedded machine learning, and extending methods to support continuous deployment. This article provides a comprehensive analysis of the challenges associated with OSS undertaken from traditional analyses and hybrid methodologies.