Analysing the attack surface of JavaScript dependencies (taken)

Most software today is released in the form of packages, which may have dependencies on other software packages that need to be installed first or be available as a library. In this project, we are going to analyse these dependencies and potential vulnerabilities they introduce.

We have already developed a tool chain that allows us to download PHP packages, extract metadata (author, version, etc.), and store everything into a graph DB for analysis. This project can take one of two forms, depending on the students’ interests and background.

The first option is to carry out an analysis of dependencies in the PHP universe and developing an algorithm to find out which packages depend on other, known-vulnerable packages. The result is a live tracking system that continously tracks packages affected by new vulnerabilities.

The second option is to add the extraction of JavaScript package dependencies to our toolchain and run first analyses.

The project can be split up for two students to work on it, with each student working on one option.

Keywords: data analysis, software security

Advisor(s): Ralph Holz, Ingo Weber

Suitable for: Honours SSP/TSP