Vulnerabilities are a known problem in modern Open Source Software (OSS). Most developers often rely on third-party libraries to accelerate feature implementation. However, these libraries may contain vulnerabilities that attackers can exploit to propagate malicious code, posing security risks to dependent projects. Existing research addresses these challenges through software composition analysis (SCA) for vulnerability detection and remediation. Nevertheless, current solutions may introduce additional issues, such as incompatibilities, dependency conflicts, and additional vulnerabilities.
To address this, we propose Vulnerability Scan and Protection (VULNSCANPRO), a robust solution for detection and remediation vulnerabilities in Maven projects. Specifically, VULNSCANPRO builds a fine-grained method graph to identify unreachable methods. The method graph is mapped to the project’s dependency tree, constructing a comprehensive vulnerability propagation graph that identifies unreachable vulnerable APIs and dependencies. Based on this analysis, we propose three solutions for vulnerability remediation: (1) Removing unreachable vulnerable dependencies, thereby resolving security risks and reducing maintenance overhead. (2) Upgrading vulnerable dependencies to the closest non-vulnerable versions, while pinning the versions of transitive dependencies introduced by the vulnerable dependency, in order to mitigate compatibility issues and prevent the introduction of new vulnerabilities. (3) Eliminating unreachable vulnerable APIs, particularly when security patches are either incompatible or absent. Experimental results show that these solutions effectively mitigate vulnerabilities and enhance the overall security of the project.