Replication Package for ASE 2026
收藏Zenodo2026-05-28 更新2026-05-26 收录
下载链接:
https://zenodo.org/doi/10.5281/zenodo.19230102
下载链接
链接失效反馈官方服务:
资源简介:
🧪 Replication Package for
ASE 2026
This repository contains the first large-scale empirical study on the cross-version applicability of Java library vulnerability exploits. It challenges the prevailing wisdom that exploits are highly version-specific, demonstrating an 83.0% recall in identifying affected versions using disclosed exploits. Furthermore, it provides a comprehensive benchmark for exploit migration, enabling the recovery of 77.1% of failed cases.
🏆 Real-World Impact: Contributions to CPE
One of the key contributions of this work is the identification of missing affected versions in official vulnerability databases. We systematically reported our findings to the National Vulnerability Database (NVD) team.
2026.5.1 updates: Our contribution to 7 CVEs in the Jackson-databind library has been partially confirmed by NVD. So far, we have contributed to 20 CVEs (796+723=1519 Versions).
Our contributions have been verified and accepted, resulting in updates to the CPE dictionary for the following 13 CVEs:
CVE ID
Verified Omission in Original CPE Entry
Missing Versions
Change Date
CVE-2017-1000190
Omits all versions prior to 2.7.1.
74
9/12/2025
CVE-2018-1274
Omits all versions prior to 1.13.
62
9/12/2025
CVE-2019-11272
Omits all versions prior to 4.2.0.
79
9/12/2025
CVE-2019-5312
Omits all versions prior to 3.3.0.
36
9/12/2025
CVE-2021-29425
Omits versions 1.1 through 2.1.
8
Confirmed
CVE-2023-42276
Omits all versions prior to 5.8.21.
174
9/12/2025
CVE-2023-51080
Omits version 5.8.22.
1
9/12/2025
CVE-2019-5427
Omits version 0.9.5.3.
1
9/05/2025
CVE-2021-3878
Omits version 4.3.0.
1
9/08/2025
CVE-2023-50572
Omits all versions prior to 3.24.1.
13
9/05/2025
CVE-2023-51075
Omits all versions prior to 5.8.23.
176
9/05/2025
CVE-2022-45690
Omits all versions prior to 5.8.10.
165
9/12/2025
CVE-2023-51074
Omits all versions prior to 2.8.0.
6
9/12/2025
Total
13 CVEs Updated
796
2026.5.1 updates: 7 CVEs that were validated by NVD after the submission of our paper.
CVE-2020-11112
2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1), and all branches prior to 2.9.
110 (2.10,2.11 omitted)
4/29/2026
CVE-2020-11113
2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1), and all branches prior to 2.9.
110 (2.10,2.11 omitted)
4/29/2026
CVE-2020-11619
2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1), and all branches prior to 2.9.
110 (2.10,2.11 omitted)
4/29/2026
CVE-2020-14060
2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1 - 2.11.0), and all branches prior to 2.9.
110 (2.10,2.11 omitted)
4/29/2026
CVE-2020-14062
2.10 branch (2.10.0.pr1 - 2.10.3), 2.11 branch (2.11.0.rc1 - 2.11.0), and all branches prior to 2.9.
110 (2.10,2.11 omitted)
4/29/2026
CVE-2020-35728
2.10 branch (2.10.0.pr1 - 2.10.5.1), 2.11 branch (2.11.0.rc1 - 2.11.4), 2.12 branch (2.12.0.rc1 - 2.12.0.rc2), and all branches prior to 2.9.
106 (2.10,2.11,2.12 omitted)
4/29/2026
CVE-2020-9546
2.10 branch (2.10.0.pr1 - 2.10.2), as well as branches prior to 2.7.
67 (2.10 omitted)
4/29/2026
Total
7 CVEs Updated
723
📊 CWE Coverage
To characterize the representativeness of our exploit dataset, we further analyze its coverage over vulnerability types in the Maven ecosystem. Detailed results are provided in:
DataCollection/├── CWE-Coverage
This directory contains the CWE coverage statistics of our dataset, including both the CWE categories represented in our collected exploits and their coverage over historical Java Maven vulnerabilities.
Overall, among the 5,889 historical Java Maven CVEs collected from GitHub Advisory up to 2025, the CWE categories covered by our dataset account for 76.33% of all vulnerabilities (4,495 / 5,889). In addition, our dataset covers 68.96% of all distinct CWE types appearing in these vulnerabilities. These results indicate that, although our dataset does not include every vulnerability in the Maven ecosystem, it already captures the majority of practically relevant vulnerability types.
To further understand the security landscape covered by our dataset, we organize the included CWEs according to their higher-level CWE pillars, together with the number of corresponding CVEs observed in our collected dataset.
CWE Pillar Distribution
Pillar
Contained CWEs and Corresponding CVE Counts
Improper Access Control
CWE-287/295/863 (2), CWE-306/522/732/862 (1)
Improper Control of a Resource Through its Lifetime
CWE-502 (48), CWE-22 (18), CWE-611 (20), CWE-787 (19), CWE-770 (11), CWE-94 (11), CWE-400 (6), CWE-121/918 (6), CWE-434 (4), CWE-120 (3), CWE-200/776 (2), CWE-61/123/125/178/195/377/404/416/470/494/522/665/668/681/732/1321/1333 (1)
Insufficient Control Flow Management
CWE-835 (8), CWE-674/834 (2), CWE-776 (2), CWE-248 (1)
Improper Adherence to Coding Standards
CWE-476 (1)
Improper Check or Handling of Exceptional Conditions
CWE-130/248/476/754/755 (1)
Protection Mechanism Failure
CWE-184 (2), CWE-331/347/494 (1)
Incorrect Comparison
CWE-184 (2)
Improper Interaction Between Multiple Correctly-Behaving Entities
CWE-444 (4), CWE-113 (2), CWE-436 (1)
Improper Neutralization
CWE-20 (12), CWE-79 (11), CWE-94 (9), CWE-74/78 (5), CWE-917 (3), CWE-77/89/113/116 (2), CWE-87/91/117/130/176 (1)
Incorrect Calculation
CWE-190 (3)
📂 Repository Structure
This package is organized according to the research questions (RQs) and data collection phases described in the paper.
Plaintext
.├── DataCollection/ │ ├──CWE-Coverage│ ├ Exploits/ │ │ ├── Origin/ # Original disclosed exploits (GitHub/NVD)│ │ └── Vision/ # Exploits aligned with the Vision dataset│ └── Version/ │ ├── candidate-version.csv │ └── true-affected-version.csv # Manually verified Ground Truth│├── reproduce/ # attack environments for exploit reproduction│├── RQ1/ │ ├── CrossVersionRun/ │ │ ├── logs/ │ │ ├── results/ │ │ ├── run.py # Script for cross-version execution│ │ └── run_vision.py # Script for cross-version execution│ ├── datasource/ # Database snapshots and comparison results│ └── sota/ # Comparison with State-of-the-Art tools│├── RQ2/ │ ├── build-failure-*.csv # Analysis of build/environment errors│ ├── exploit-failure.csv # Analysis of logic/payload errors│ ├── unexpected-behavior.csv # Analysis of false positives/anomalies│ └── overall.csv # Summary of failure taxonomy│└── RQ3/ ├── exploit-migration.csv # The Exploit Migration Benchmark ├── migration/ # Source code of migrated exploits (1,885 cases) ├── edit_distance.py # Script to calculate migration cost └── edit_distance_results.jsonl
🛠️ Runtime Environment & Prerequisites
To fully reproduce the experiments, please ensure the following environment and dependencies are set up.
☕ Java & Maven
Apache Maven (Reference Version): 3.8.8
Java: Multiple JDK versions are required for RQ3 (see RQ3 section). Download and place them into a java/ folder at the repository root.
🐍 Python Environment
Python (Reference Version): 3.8.10 (default, Nov 22 2023)
Install dependencies with:
pip install \ bidict==0.23.1 \ certifi==2025.1.31 \ charset-normalizer==3.4.1 \ click==8.1.8 \ Flask==2.0.3 \ Flask-SocketIO==4.3.1 \ h11==0.16.0 \ idna==3.10 \ itsdangerous==2.2.0 \ Jinja2==3.1.6 \ MarkupSafe==2.1.5 \ pip==20.0.2 \ python-engineio==3.13.2 \ python-socketio==4.6.0 \ requests==2.32.3 \ setuptools==45.2.0 \ simple-websocket==1.1.0 \ six==1.17.0 \ urllib3==2.2.3 \ Werkzeug==2.0.3 \ wheel==0.34.2 \ wsproto==1.2.0
🖼️ PDF Processing
For PDF-based result processing, install Ghostscript:
sudo apt install ghostscriptexport ITEXT_GS_EXEC=/usr/bin/gs
⚡ Required Local Servers
Some exploits rely on network services (LDAP/RMI/HTTP). Start the servers before running exploit execution:
# Build marshalsec first (in ./reproduce/servers/marshalsec)cd ./reproduce/servers/marshalsecmvn package# Start LDAP & RMI serversjava -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://127.0.0.1:8080/#Exploit" 1389java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://127.0.0.1:8080/#Exploit" 1340# Start HTTP and socket servers (in ./reproduce/servers/attack)cd ../attackpython -m http.server 3306python socket-server.pypython remote.py
🧪 Reproducing RQ1: Cross-Version Applicability
Use the following scripts to reproduce the large-scale cross-version execution results, calculate metrics against vulnerability databases, and compare with SOTA tools.
cd RQ1/CrossVersionRun# Step 1: Execute exploits across historical versionspython run.py# Step 2: Execute exploits in visionpython run_vision.py
📊 Metric Calculation & Results Analysis
To generate the specific recall metrics for the 5 vulnerability databases (NVD, GitHub, GitLab, Snyk, Veracode), run the following script:
# Calculate and output recall metrics for all 5 databasespython ../datasource/parsed/recall.py
Key Result Files:
File Path
Description
RQ1/CrossVersionRun/results/
The raw output of our cross-version exploit execution.
RQ1/datasource/parsed/NVD.csv
Detailed comparison results between our exploits and the NVD data source.
RQ1/sota/vision-result.json
The raw execution results provided by the SOTA tool Vision [43].
RQ1/sota/SOTA-result.csv
Summary CSV comparing our approach against Vision and other baselines.
🔍 Analyzing RQ2: Limiting Factors
The RQ2/ directory contains the detailed failure analysis data, categorizing why specific exploits failed on vulnerable versions.
File
Description
exploit-failure.csv
Contains semantic failure categorizations (e.g., Invalid Payload, Logic Incompatible).
build-failure-\*.csv
Contains failures related to build errors, including Environment Issues and Symbol Resolution Failures.
unexpected-behavior.csv
Records cases where exploits triggered false positives or anomalies.
🛠️ Exploring RQ3: Exploit Migration Benchmark
We provide the largest benchmark of migrated exploits to date, offering both the source code and cost analysis tools.
📂 Migration Code: The RQ3/migration folder contains the actual source code for the 1,885 adapted exploits.
📂 Migration Conclusion: Stored in exploit-migration.csv.
📉 Cost Analysis: Run the following script to calculate the Edit Distance (LoC changes) for the migration strategies.
cd RQ3# Calculate migration costs (Lines of Code modified)python edit_distance.py
The results will be saved to edit_distance_results.jsonl .
📊 Dataset Statistics
Metric
Count
Libraries
128
Total Versions Scanned
28,150
Reproducible Exploits
259
True Affected Versions
14,378
Migrated Exploit Cases
1,885
提供机构:
Zenodo创建时间:
2026-03-26



