Static analysis tool discrepancies and the pursuit of a unified vulnerability database

Abstract

When cyber attacks succeed, they affect communities, not just systems. To protect against these threats, organizations use static analysis tools to identify vulnerabilities in software components, especially within third-party dependencies. The effectiveness of these tools depends on their reliance on external vulnerability databases. The specific databases that researchers use and the way they aggregate data significantly influence the vulnerabilities they identify and report. In this thesis, I investigate inconsistent vulnerability counts reported by two widely used static analysis tools, Trivy and Grype, across 927 Docker images. Trivy and Grype rely on different vulnerability databases. I show that differences in database selection and aggregation techniques lead to divergent vulnerability counts, classifications, and severity metrics. My findings emphasize the need for better interoperability and aggregation strategies in vulnerability management. In response, I developed an integrated graph-based vulnerability database that integrates data from the National Vulnerability Database (NVD), GitHub Advisories, and the Open Source Vulnerability (OSV) database. By incorporating relationships such as aliases and related vulnerabilities, our graph database enables seamless cross-referencing, even across differing vulnerability identifiers. Further, our graph database includes EPSS scores and CWE mappings, offering additional security perspectives. This approach improves both coverage and collaboration, supporting informed security decisions. Our analysis of the 2023 top ten most routinely exploited vulnerabilities demonstrates the graph database's practical value: while all ten were present in the NVD, OSV included only one, and GitHub Advisories required alias relationships for identification. Moreover, nine of the ten vulnerabilities shared linked Common Weakness Enumeration (CWE) entries, revealing exploitable patterns in vulnerability structures. This thesis advances the field by exposing inconsistencies in existing vulnerability tools that rely on disparate databases, and by introducing a scalable, unified system to enable more informed security decision-making.