Abstract: Software is commonly built from a package of software packages, such as open-source packages. A package may require a number of interdependent packages, any one of which may have a security vulnerability. However, the dependencies between packages are often version specific and merely upgrading a package to the newest, or newest non-vulnerable, version may break a dependency and cause the software to be unbuildable (e.g., fail to compile or link) or, if built, faulty. By mapping dependencies to non-vulnerable versions a graphical representation may be built having one or more root-to-leaf paths identifying all the required packages by compatible version but exclude any vulnerable versions. The package may then be built to ensure the resulting software is both internally compatible between packages and absent known security vulnerabilities.

Abstract: A method (300) for linking a common vulnerability and exposure, CVE, (106) with at least one synthetic common platform enumeration, CPE, (112) wherein the CVE (106) comprises a summary of a vulnerability, is disclosed. The method (300) comprising: receiving (S302) the summary of the CVE (106) from a vulnerability database, VD, (104); extracting (S304) information from the summary of the CVE (106) using a Natural Language Processing, NLP, model; building (S306) at least one synthetic CPE (112) based on the extracted information; and linking (S308) the CVE (106) with the at least one synthetic CPE (112).

Abstract: Open-source software is prevalent in the development of new technologies. Monitoring software updates for vulnerabilities is expensive and time consuming. Online discussions surrounding new software updates can often provide vital information regarding emerging risks. It is presented a novel approach for automating surveillance of software through the use of natural language processing methods on open-source issues. Further, the potential of virtual adversarial training, a popular semi-supervised learning technique, is used to leverage the vast amounts of unlabeled data available to achieve improved performance. On industry data, it is found that a hierarchical attention network with virtual adversarial training that utilizes the innate document structure to encapsulate the text can be used with good results.