Journal article
Automated detection of affected libraries from vulnerability reports
Automated software engineering, Vol.32(2), pp.1-38
11/2025
Metrics
7 Record Views
Abstract
The growing reuse of third-party libraries in software supply chains increases the risk of being affected by the involved vulnerabilities. To strengthen software security, security vendors such as Snyk manage up-to-date vulnerability databases by associating reported vulnerabilities with their affected libraries, and contemporary digital organizations such as banking and software enterprises detect the third-party libraries they use if affected by these reported vulnerabilities. Existing studies focus on automating the detection process but make few efforts on detecting newly affected libraries, although new libraries (previously healthy) are constantly disclosed to be affected by new vulnerabilities. Moreover, existing studies do not seriously consider digital organizations’ concerns only about the libraries they use. In this paper, we propose an approach LibAlarm to address these challenges. We implement LibAlarm as a large language model-powered approach and compare it with the baseline approaches from multiple perspectives. Our experimental evaluation using 16,238 NVD reports indicates that LibAlarm improves the F1 by over 14% compared with baselines and detects over 40% newly affected libraries. For contemporary digital organizations, LibAlarm performs better than the baseline approaches with the F1 above 70% and the reduced false alarm ratio to 20%. Our case analysis using 540 NVD reports and 20 projects from Microsoft and Google demonstrates the effectiveness of LibAlarm. These results indicate that LibAlarm can help security vendors and digital organizations detect affected libraries from vulnerability reports.
Details
- Title
- Automated detection of affected libraries from vulnerability reports
- Creators
- Jinwei Xu - Nanjing UniversityHe Zhang - Nanjing UniversityXin Zhou - Nanjing UniversityYanjing Yang - Nanjing UniversityRunfeng Mao - Nanjing UniversityXiaokang Li - Nanjing UniversityLanxin Yang - Nanjing UniversityHaifeng Shen - Southern Cross University
- Publication Details
- Automated software engineering, Vol.32(2), pp.1-38
- Publisher
- Springer Nature
- Grant note
- This work is supported by the Natural Science Foundation of Jiangsu Province (No. BK20241195), the National Natural Science Foundation of China (No. 62202219, No. 62302210), the Open Project of Key Laboratory of Industry and Information Technology Ministry for Software Fusion Application and Testing Verification (RFT20250301), the Science and Technology Development Program of Two Districts in Xinjiang Province, China under Grant (No. 2024LQ03004), the Innovation Projects and Overseas Open Projects of State Key Laboratory for Novel Software Technology (Nanjing University) (ZZKT2025A12, ZZKT2025B18, ZZKT2025B20, ZZKT2025B22, KFKT2025A17, KFKT2025A19, KFKT2025A20, KFKT2024A02, KFKT 2024A13, KFKT2024A14, KFKT2023A09, KFKT2023A10).
- Identifiers
- 991013304503502368
- Copyright
- © 2025, The Author(s), under exclusive licence to Springer Science Business Media, LLC, part of Springer Nature
- Academic Unit
- Faculty of Science and Engineering
- Language
- English
- Resource Type
- Journal article