SupplyChainSecurityCon 2022

Plugins to package managers such as cargo audit, npm audit, and dependency bots such as Dependabot or Renovate primarily rely on making recommendations to developers by analyzing build manifests in projects. Metadata analyses (or dependency tree analyses) are typically insufficient for making quick decisions on whether a project is affected, for example, by a security or performance bug. Much effort goes into testing and manual code reviews to determine whether a project is affected---not many analysis looks into how projects "actually use" their dependencies at the source code level. As more and more dependency-analysis-based projects are looking to integrate some form of static analysis in their products, we will in this talk focus on the challenges of incorporating static analysis: cases where it is helpful and not helpful, practical examples demonstrating substantial differences between metadata and static analysis, and what new "powers" static analysis brings to package repository-level analytics.

Dates

Author

Conferences

Tags

Going Beyond Metadata: Why We Need to Think of Adopting Static Analysis in Dependency Tools

tldr - powered by Generative AI