Beyond SBOM: Integrating VEX into Open Source Workflows
UD2.208 (Decroly) | Day 2 | 10:30 - 11:00 | Speakers: Munawar Hafiz, Michael Winser, Piotr P. Karwasz
Abstract
When a new CVE surfaces in an open-source dependency, teams face an immediate question: Do we really need to update? Is the vulnerability eploitable? In practice, nearly 90% of reported issues never affect the consuming application, but identifying the critical 10% is far from trivial. Reachability analysis offers a path forward by tracing vulnerable functions from the upstream component through multi-hop call graphs to determine whether the affected code is ever invoked downstream.
Despite its value, reachability analysis is notoriously difficult to automate. Most organizations still rely on manual investigation, while existing SCA tools frequently fall short, leaving teams uncertain and prompting unnecessary upgrades.
This talk presents a concrete case study from Apache Hadoop and Solr, illustrating how accurate reachability analysis can prevent wasted effort, reduce noise, and focus attention on the vulnerabilities that truly matter. The reachability of vulnerabilities will be analyzed using the Open Source VEX Generation Toolset project.
Attachments
Speakers
Munawar Hafiz is the founder and head of innovations of OpenRefactory, Inc., an application security company that intends to improve the way developers write secure, reliable and compliant code. Munawar had a body of work on automated bug fixing in academia which lays the foundation for OpenRefactory. He is a champion of pushing SAST bug detection tools for better precision and introducing code rewriting capabilities to fix bugs automatically.
Michael Winser has been creating and delivering software applications since 1984. Michael’s experience spans over 25 years at Google and Microsoft and more than a decade of startups. More recently, Michael is the co-founder of the Alpha-Omega project and is a Security Strategy Ambassador for the Eclipse Foundation. He also provides product and strategy advice to various companies and organizations.
When not working on open source security, Michael enjoys wing foiling, skating, skiing, and spending time with his family.
Piotr has contributed to Open Source since 2002, progressing from forum support to coding and project maintenance. After Log4Shell he joined Apache Logging Services and became a full-time maintainer in 2023. He works on ECMA TC54 and other security initiatives, applying them to Apache Commons, Log4j, and the wider OSS community.
Links
External Links
Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.