Abstract

Over the past decade, there has been a major shift towards the globalization of the software industry, by allowing code to be shared and reused across project boundaries. This global code reuse can take on various forms, include components or libraries which are publicly available on the Internet. However, this code reuse also comes with new challenges, since not only code but also vulnerabilities these components might be exposed to are shared. The software engineering community has attempted to address this challenge by introducing bug bounty platforms and software vulnerability repositories, to help organizations manage known vulnerabilities in their systems. However, with the ever-increasing number of vulnerabilities and information related to these vulnerabilities, it has become inherently more difficult to synthesize this knowledge. Knowledge Graphs and their supporting technology stack have been promoted as one possible solution to model, integrate, and support interoperability among heterogeneous data sources.
In this thesis, we introduce a methodology that takes advantage of knowledge graphs to integrate resources related to known software vulnerabilities. More specifically, this thesis takes advantage of knowledge graphs to introduce a unified representation that transforms traditional information silos (e.g., VDBs, bug bounty programs) and transforms them in information hubs. Several use cases are presented to illustrate the applicability and flexibility of our modeling approach, demonstrating that the presented knowledge modeling approach can indeed unify heterogeneous vulnerability data sources and enable new types of vulnerability analysis.