Vulnerabilities, referred to as CLV issues, are induced by cross-language invocations of vulnerable libraries. Such issues greatly increase the attack surface of Python/Java projects due to their pervasive use of C libraries. Since existing Python/Java build tools in PyPI and Maven ecosystems fail to report vulnerable libraries written in other languages such as C, CLV issues are easily missed by developers. In this paper, we conduct the first empirical study on the status quo of CLV issues in PyPI and Maven ecosystems. It is found that 82,951 projects in these ecosystems are directly or indirectly dependent on libraries compiled from the C project versions that are identified to be vulnerable in CVE reports. Our study arouses the awareness of CLV issues in popular ecosystems and presents related analysis results.

The study also leads to the development of the first automated tool, \textsc{Insight}, which provides a turn-key solution to the identification of CLV issues in PyPI and Maven projects based on published CVE reports of vulnerable C projects. \textsc{Insight} automatically identifies if a PyPI or Maven project is using a C library compiled from vulnerable C project versions in published CVE reports. It also deduces the vulnerable APIs involved by analyzing the usage of various foreign function interfaces such as \emph{CFFI} and \emph{JNI} in the concerned PyPI or Maven project. \textsc{Insight} achieves a high detection rate of 88.4% on a popular CLV issue benchmark. Contributing to the open-source community, we report 226 CLV issues detected in the actively maintained PyPI and Maven projects that are directly dependent on vulnerable C library versions. Our reports are well received and appreciated by developers with queries on the availability of \textsc{Insight}. 127 reported issues (56.2%) were quickly confirmed by developers and 74.8% of them were fixed/under fixing by popular projects, such as {\mycode Mongodb}~\cite{Mongodb} and {\mycode Eclipse/Sumo}~\cite{Eclipse/Sumo}.

Meiqiu Xu

Northeastern University, China

China

Ying Wang

Northeastern University, China

Shing-Chi Cheung

Hong Kong University of Science and Technology

China

Hai Yu

Northeastern University, China

Zhiliang Zhu

Northeastern University, China