Security Analysis of Dependency Confusion for Third Party Components: A Risk Assessment Framework Based on Source Code Tree Matching

With the widespread use of third-party components in software development, their security has become a major challenge in the field of software security. The implantation of malicious components or the unintentional reference of security weak components by developers may lead to serious security problems.In order to effectively solve the dependency obfuscation problem, this paper proposes a detection framework (Comchecker) based on source code analysis to cope with the dependency obfuscation problem through source code analysis techniques. The framework first accurately identifies and builds the code tree of third-party components and optimizes them through static analysis of component source code. Then, it evaluates the security risk of the components by designing a comprehensive evaluation model which combines various factors such as the source, structural features, and other components. Subsequently, we conduct a series of experiments to evaluate the proposed framework and compare it with state-of-the-art component detection tools.Through extensive experiments with three comparative detection tools, our detection framework achieves 93.51% accuracy for third-party component detection, outperforming existing detection tools in terms of detection accuracy and precision, and 91.04% accuracy for obfuscation-dependent detection.Finally, Comchecker is also well extended to be applied to components used in most mainstream development languages.