Automated, Provenance-Driven Security Audit for git-Based Repositories


Software repositories contain much information besides the source code itself. For Open Source projects and Inner Source projects, the team composition and development process is transparent and traceable and can be evaluated at any point of time by, for example, continuous evaluation with regard to security by automated analysis. Software development is a highly complex process involving a wide range of responsibilities and people. In addition, the complexity of the software itself grows over time. To cope with this different tools are used to support the development process. During the entire software development process, all these support tools produce several types of data. These large amounts of data, which are generated before, during, and after the development of a software, can be analyzed using Provenance. Provenance analysis focusing on the development of software projects provides insight into the interactions of people. These interactions can fall into different categories. To analyze the development process, we extract retrospective provenance from repositories and store it in a graph database for further analysis For conducting a security analysis of software and its development process, we integrate the extracted provenance information with bugs or vulnerabilities as reported by static analysis tools. We therefore consider individual commit snapshots in the history of the software repositories. According to the respective repository, we run certain static analysis tools on a snapshot, track their reported findings and save them into a database for later analysis. Interlinking the tools findings with provenance information is done via the respective snapshot’s code commit operations. Using the combined information then allows various questions for researching on the development process and how security has been addressed.

5 Oct 2021 12:30 — 13:00