Businesses and organizations world wide rely more and more on networked computer systems for information and services. The computer systems can include computing devices as well as computer networks such as private and public networks (including the Internet). A business' computer system may have a software codebase of hundreds or thousands of different computer applications or software (“software applications”). The software applications may include some applications that have been internally developed and other applications that are vendor-developed. In either case, the applications may include numerous common components (“third-party components”) that are developed by or sourced from third parties. A single third-party component may be utilized or deployed in more than one software application.
A third-party component may be later discovered to have a defect, bug, or software “vulnerability” (e.g., a weakness or mistake that can be directly used by an unauthorized third party to gain access to a computer system or network). A remedy may involve replacement of the defective component or installation of “software patch” to correct the defect or bug. Maintenance of software applications, each of which may include several third-party components, can include installation of patches for defective third-party components to ensure that the software applications execute or run securely and as intended. Such maintenance of software applications may involve complex logistics and can be costly. However, remedying a defective component in a particular software application may or may not be urgent depending on the use or impact of the defective component in the particular application context. Accordingly, a software application maintainer may prioritize installation of a patch for a defective software application component based on, for example, an assessment of the relevance (e.g., exploitability of the defect in the case of a security bug) of the defective component in the particular application context. For example, a software application may include a “printer” component. However, if the application cannot be used for printing, it may not be critical or important to patch a defective printer component in the application immediately.
Traditionally, the (software) defect in the third-party component is described only at an abstract level (e.g., in a natural language description of coarse-grained component functionality and the potential impact of the vulnerability). A human assessment of the severity of the defect in an application context, which is based, for example, on the natural language description and expert knowledge of the use of the component, can be erroneous—leading to both false positives and false negatives.
Consideration is being given to automated systems and methods for assessing the context-specific relevance or importance of patching defective components in software applications.