Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title, in the proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement, 201

Numerical and experimental analysis of the leaning Tower of Pisa under earthquake

Twenty years have passed from the most recent studies about the dynamic behavior of the leaning Tower of Pisa. Significant changes have occurred in the meantime, the most important ones concerning the soil-structure interaction. From 1999 to 2001, the foundation of the monument was consolidated through under-excavation, and the "Catino" at the basement was rigidly connected to the foundation. Moreover, in light of the recent advances in the field of earthquake engineering, past studies about the Tower must be revised. Therefore, the present research aims at providing new data and results about the structural response of the Tower under earthquake. As regards the experimental assessment of the Tower, the dynamic response of the structure recorded during some earthquakes has been analyzed in the time- and frequency-domain. An Array 2D test has been performed in the Square of Miracles to identify a soil profile suitable for site response analyses, thus allowing the definition of the free-field seismic inputs at the base of the Tower. On the other hand, a synthetic evaluation of the seismic input in terms of response spectra has been done by means of a hybrid approach that combines Probabilistic and Deterministic Seismic Hazard Assessment methods. Furthermore, natural accelerograms have been selected and scaled properly. A finite element model that takes into account the inclination of the structure has been elaborated, and it has been updated taking into account the available experimental results. Finally, current numerical and experimental efforts for enhancing the seismic characterization of the Tower have been illustrated

SIGMA:a new tool for the simulation of spectrum-compatible earthquake ground motions

In earthquake engineering, the selection of input ground motion is crucial for applications in nonlinear dynamic analyses of structures and geotechnical systems. Ground motion simulation can be a valid alternative to natural ground motions, which can be scarce for certain combinations of earthquake scenarios and site conditions, especially for large, infrequent earthquakes. In addition, they can avoid using disproportionate scale factors to achieve spectrum compatibility, which may affect the consistency of the scaled records with the original seismological parameters. This work presents a methodology allowing generating a specific number of spectrum-compatible simulated ground motions given a few input parameters: magnitude, distance, VS30, depth and faulting style. A software tool implementing the simulation of ground motion records is also provided. The time series are simulated with an up-to-date non-stationary stochastic model calibrated using a ground motion predictive equation derived from the Italian strong motion database. The spectrum-compatible accelerograms are selected among hundreds of simulations using an innovative optimization technique based on a genetic algorithm, which finds the combination of records with the smallest deviation with respect to the target response spectrum (e.g. seismic code spectrum). An example of the procedure applied to specific earthquake scenarios is provided, including the probabilistic seismic hazard assessment for two case studies and a comparison with the natural ground motion records selection. This procedure allows for the simulation of a desired number of realistic ground motions, representing a valid alternative to natural ground motions to be used in nonlinear analyses in the time domain of civil structures

Secure Software Development in the Era of Fluid Multi-party Open Software and Services

Pushed by market forces, software development has become fast-paced. As a consequence, modern development projects are assembled from 3rd-party components. Security & privacy assurance techniques once designed for large, controlled updates over months or years, must now cope with small, continuous changes taking place within a week, and happening in sub-components that are controlled by third-party developers one might not even know they existed. In this paper, we aim to provide an overview of the current software security approaches and evaluate their appropriateness in the face of the changed nature in software development. Software security assurance could benefit by switching from a process-based to an artefact-based approach. Further, security evaluation might need to be more incremental, automated and decentralized. We believe this can be achieved by supporting mechanisms for lightweight and scalable screenings that are applicable to the entire population of software components albeit there might be a price to pay.Comment: 7 pages, 1 figure, to be published in Proceedings of International Conference on Software Engineering - New Ideas and Emerging Result

Simulation of non-stationary stochastic ground motions based on recent Italian earthquakes

This work presents an up-to-date model for the simulation of non-stationary ground motions, including several novelties compared to the original study of Sabetta and Pugliese (Bull Seism Soc Am 86:337–352, 1996). The selection of the input motion in the framework of earthquake engineering has become progressively more important with the growing use of nonlinear dynamic analyses. Regardless of the increasing availability of large strong motion databases, ground motion records are not always available for a given earthquake scenario and site condition, requiring the adoption of simulated time series. Among the different techniques for the generation of ground motion records, we focused on the methods based on stochastic simulations, considering the time- frequency decomposition of the seismic ground motion. We updated the non-stationary stochastic model initially developed in Sabetta and Pugliese (Bull Seism Soc Am 86:337–352, 1996) and later modified by Pousse et al. (Bull Seism Soc Am 96:2103–2117, 2006) and Laurendeau et al. (Nonstationary stochastic simulation of strong ground-motion time histories: application to the Japanese database. 15 WCEE Lisbon, 2012). The model is based on the S-transform that implicitly considers both the amplitude and frequency modulation. The four model parameters required for the simulation are: Arias intensity, significant duration, central frequency, and frequency bandwidth. They were obtained from an empirical ground motion model calibrated using the accelerometric records included in the updated Italian strong-motion database ITACA. The simulated accelerograms show a good match with the ground motion model prediction of several amplitude and frequency measures, such as Arias intensity, peak acceleration, peak velocity, Fourier spectra, and response spectra.Published3287–33155T. Sismologia, geofisica e geologia per l'ingegneria sismicaJCR Journa

Damage patterns in the town of Amatrice after August 24th 2016 Central Italy earthquakes

The impact of the two seismic events of August 24th 2016 on the municipality of Amatrice was highly destructive. There were 298 victims, 386 injured, about 5000 homeless, and the historical center of the town suffered a great number of partial and total collapses. The 260 strong motion records obtained for the first event were analyzed and plotted in a shakemap, comparing them with the macroseismic damage surveys made in 305 localities. On the basis of an inspection survey made in September 2016, a map of the damage patterns of the buildings in the historical center was elaborated according to the EMS 98 classification. The damage level resulted very high with more than 60% of the inspected buildings showing partial or total collapse. The elevated level of destruction was mainly caused by the high vulnerability of the masonry buildings, mostly due to specific vulnerability factors such as the poor quality of masonry, the lack of connections between walls and the poor connection between external walls and floors

The challenge of defining upper bounds on earthquake ground motions

Recent studies to assess very long-term seismic hazard in the United States and in Europe have brought the issue of upper limits on earthquake ground motions into the arena of problems requiring attention from the engineering seismological community. Few engineering projects are considered sufficiently critical to warrant the use of annual frequencies of exceedance so low that ground-motion estimates may become unphysical if limiting factors are not considered, but for nuclear waste repositories, for example, the issue is of great importance. The definition of upper bounds on earthquake ground motions also presents an exciting challenge for researchers in the area of seismic hazard assessment. This paper looks briefly at historical work on maximum values of ground-motion amplitudes before illustrating why this is an important issue for hazard assessments at very long return periods. The paper then discusses the factors that control the extreme values of motion, both in terms of generating higher amplitude bedrock motions and of limiting the values of motion at the ground surface. Possible channels of research that could be explored in the quest to define maximum possible ground motions are also discussed

Distinct platelet crosstalk with adaptive and innate immune cells after adenoviral and mRNA vaccination against SARS-CoV-2

Background: Genetic-based COVID-19 vaccines have proved highly effective in reducing the risk of hospitalization and death. As they were first distributed on a large-scale population, adenoviral-based vaccines were linked to a very rare thrombosis with thrombocytopenia syndrome and the interplay between platelets and vaccinations increasingly gained attention. Objective: To study the crosstalk between platelets and the vaccine-induced immune response. Methods: We prospectively enrolled young healthy volunteers who received the mRNA-based vaccine, BNT162b2 (n=15), or the adenovirus-based vaccine, AZD1222 (n=25) and studied their short-term platelet and immune response before and after vaccine injections. In a separate cohort, we retrospectively analysed the effect of aspirin on the antibody response 1 and 5 months after BNT162b2 vaccination. Results: Here we show that a faster antibody response to either vaccine is associated to the formation of platelet aggregates with marginal zone-like B-cells, a subset geared to bridge the temporal gap between innate and adaptive immunity. However, while the mRNA-based vaccine is associated with a more gradual and tolerogenic response that fosters the crosstalk between platelets and adaptive immunity, the adenovirus-based vaccine, the less immunogenic of the two, evokes an antiviral-like response during which platelets are cleared and less likely to cooperate with B-cells. Moreover, subjects taking aspirin (n=56) display lower antibody levels after BNT162b2 vaccination compared to matched individuals. Conclusions: Platelets are a component of the innate immune pathways that promote the B-cell response after vaccination. Future studies on the platelet-immune crosstalk post-immunization will improve safety, efficacy, and strategic administration of next-generation vaccines

Dependability in dynamic, evolving and heterogeneous systems: the CONNECT approach

International audienceThe EU Future and Emerging Technologies (FET) Project Connect aims at dropping the heterogeneity barriers that prevent the eternality of networking systems through a revolutionary approach: to synthesise on-the-y the Connectors via which networked systems communicate. The Connect approach, however, comes at risk from the standpoint of dependability, stressing the need for methods and tools that ensure resilience to faults, errors and malicious attacks of the dynamically Connected system. We are investigating a comprehensive approach, which combines dependability analysis, security enforcement and trust assessment, and is centred around a lightweight adaptive monitoring framework. In this project paper, we overview the research that we are undertaking towards this objective and propose a unifying workflow process that encompasses all the Connect dependability/security/trust concepts and models