Title:Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability

Abstract:Third-party libraries are essential in software development as they prevent the need for developers to recreate existing functionalities. However, vulnerabilities within these libraries pose significant risks to dependent projects. Upgrading dependencies to secure versions is not feasible to neutralize vulnerabilities without patches or in projects with specific version requirements. Moreover, repairing the vulnerability proves challenging when the source code of the library is inaccessible. Both the state-of-the-art automatic vulnerability repair and automatic program repair methods fail to address this issue. Therefore, mitigating library vulnerabilities without source code and available patches is crucial for a swift response to potential security attacks. Existing tools encounter challenges concerning generalizability and functional security. In this study, we introduce LUMEN to mitigate library vulnerabilities in impacted projects. Upon disclosing a vulnerability, we retrieve existing workarounds to gather a resembling mitigation strategy. In cases where a resembling strategy is absent, we propose type-based strategies based on the vulnerability reproducing behavior and extract essential information from the vulnerability report to guide mitigation generation. Our assessment of LUMEN spans 121 impacted functions of 40 vulnerabilities, successfully mitigating 70.2% of the functions, which substantially outperforms our baseline in neutralizing vulnerabilities without functionality loss. Additionally, we conduct an ablation study to validate the rationale behind our resembling strategies and type-based strategies.