The Challenges of Securing Open Source Software
Open source software is a cornerstone of modern development, with over 90% of applications relying on open source components. However, vulnerabilities in these libraries have become a major security challenge. In 2024 alone, more than 40,000 new CVEs were published—an all-time high.
The kicker? If you’re involved in vulnerability management in any capacity, you know that most disclosures fail to specify the exact vulnerable functions within affected libraries. This lack of precision makes it difficult for security teams to assess actual risk and plan remediation actions efficiently.
And still, even if a CVE does disclose a vulnerable function, it’s impossible to verify whether it’s actually called in your running application using traditional tooling.
The Limitations of Current Vulnerability Disclosures
When a new CVE is published, advisories often only include broad indicators of risk—such as affected package versions. This lack of granularity leads to inefficient remediation efforts, with teams spending valuable time fixing issues that may not even be exploitable in their environment or worse: leaving vulnerable functions live and executed in their running applications.
In fact, we estimate that open source and commercial services have less than 3% coverage of vulnerable functions for CVEs today.
Oligo’s Breakthrough: Function-Level Vulnerability Identification and Verification
Oligo has made a major breakthrough, identifying 1100% more vulnerable functions than any other CVE advisory worldwide. Here’s how we did it.
Step 1: Leverage LLMs to Enrich CVE information
LLMs make it possible to query specific CVEs and obtain data from many sources all at once for vulnerability advisories, threat actor activity, and more. For instance, using GenAI models (LLMs and SLMs) to compare a CVE advisory with everything that is known online about the CVE often highlights the specific vulnerable function in question.
This is just one of many prompts that can be used to identify the vulnerable function.
Step 2: Compare vulnerable functions with all running functions
In this step, Oligo compares the LLM-identified vulnerable function with all functions running within a given library. This step helps validate the vulnerable function in question truly exists. It’s important to note that Oligo is a real-time solution. Since we’re observing how libraries invoke dependencies in real-time, we’re not making any estimations about reachability. Instead, we see with certainty whether a given function has been executed.
Step 3: Cross-validate vulnerable functions to ensure high accuracy
Once Oligo has identified the vulnerable function, this is tested on aggregate across large data sets. This minimizes the chance of LLM hallucinations and false positives while ensuring a high rate of accuracy and recall.
Measuring the Results of Oligo Vulnerable Function Enrichment
When we ran our vulnerable function enrichment across CVEs published in the last decade, we saw a huge improvement in coverage. In 2023 and 2024, we saw that we identified a vulnerable function in one out of four CVEs. This was a giant improvement from rates below 3% which we observed in both open source and commercial advisory information.
Top left figure: The source of the function name. 73% of the time the function name is included in the CVE description or metadata.
Top right figure: Comparing our algorithm to the ground truth.
Bottom figure: Function coverage by our algorithm (31%) compared to other advisories (2.8%).
When we run the enrichment against a larger set of CVEs that span a decade or more, the coverage rates expand to 50% coverage.
How Oligo Vulnerable Function Enrichment Transforms DevSecOps Processes
Oligo’s unique ability to track code execution down to the function level delivers highly precise vulnerability prioritization, helping teams focus on the most relevant security risks.
By identifying the exact vulnerable function, Engineering and Security teams can:
- Reduce false positives and unnecessary patching efforts on vulnerabilities where an executed function is never called
- Enable more efficient risk management and vulnerability tracking by focusing on vulnerabilities where an executed vulnerable function has been identified
- Accelerate mean-time-to-remediate (MTTR) by knowing and identifying a resolution for the exact function that introduces a vulnerability
Test Oligo Vulnerability Function Enrichment Today
Customers with access to Oligo can query our API to explore whether certain CVEs have a vulnerable function identified.
If you haven’t explored how Oligo delivers real-time application security, get in touch with us today.
