当前位置:
X-MOL 学术
›
arXiv.cs.SE
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
On the Threat of npm Vulnerable Dependencies in Node.js Applications
arXiv - CS - Software Engineering Pub Date : 2020-09-18 , DOI: arxiv-2009.09019 Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, and Bram Adams
arXiv - CS - Software Engineering Pub Date : 2020-09-18 , DOI: arxiv-2009.09019 Mahmoud Alfadel, Diego Elias Costa, Mouafak Mokhallalati, Emad Shihab, and Bram Adams
Software vulnerabilities have a large negative impact on the software systems
that we depend on daily. Reports on software vulnerabilities always paint a
grim picture, with some reports showing that 83% of organizations depend on
vulnerable software. However, our experience leads us to believe that, in the
grand scheme of things, these software vulnerabilities may have less impact
than what is reported. Therefore, we perform a study to better understand the
threat of npm vulnerable packages used in Node.js applications. We define three
threat levels for vulnerabilities in packages, based on their lifecycle, where
a package vulnerability is assigned a low threat level if it was hidden or
still unknown at the time it was used in the dependent application (t), medium
threat level if the vulnerability was reported but not yet published at t, and
high if it was publicly announced at t. Then, we perform an empirical study
involving 6,673 real-world, active, and mature open source Node.js
applications. Our findings show that although 67.93% of the examined
applications depend on at least one vulnerable package, 94.91% of the
vulnerable packages in those affected applications are classified as having low
threat. Moreover, we find that in the case of vulnerable packages classified as
having high threat, it is the application's lack of updating that makes them
vulnerable, i.e., it is not the existence of the vulnerability that is the real
problem. Furthermore, we verify our findings at different stages of the
application's lifetime and find that our findings still hold. Our study argues
that when it comes to software vulnerabilities, things may not be as bad as
they seem and that considering vulnerability threat is key.
中文翻译:
关于 Node.js 应用程序中 npm 易受攻击的依赖项的威胁
软件漏洞对我们日常依赖的软件系统有很大的负面影响。关于软件漏洞的报告总是描绘出一幅严峻的图景,一些报告显示 83% 的组织依赖于易受攻击的软件。然而,我们的经验让我们相信,从宏观的角度来看,这些软件漏洞的影响可能比报告的要小。因此,我们进行了一项研究,以更好地了解 Node.js 应用程序中使用的 npm 易受攻击包的威胁。我们为包中的漏洞定义了三个威胁级别,基于它们的生命周期,如果包漏洞在依赖应用程序 (t) 中使用时隐藏或仍然未知,则将其分配为低威胁级别,如果为中威胁级别,则为该漏洞已在 t 报告但尚未发布,如果在 t 公开宣布,则为高。然后,我们进行了一项涉及 6,673 个真实世界、活跃且成熟的开源 Node.js 应用程序的实证研究。我们的研究结果表明,尽管 67.93% 的受审查应用程序依赖于至少一个易受攻击的包,但这些受影响应用程序中 94.91% 的易受攻击包被归类为低威胁。此外,我们发现对于被归类为高威胁的易受攻击的包,是应用程序缺乏更新使它们易受攻击,也就是说,真正的问题并不是漏洞的存在。此外,我们在应用程序生命周期的不同阶段验证了我们的发现,并发现我们的发现仍然成立。我们的研究认为,当涉及到软件漏洞时,
更新日期:2020-09-22
中文翻译:
关于 Node.js 应用程序中 npm 易受攻击的依赖项的威胁
软件漏洞对我们日常依赖的软件系统有很大的负面影响。关于软件漏洞的报告总是描绘出一幅严峻的图景,一些报告显示 83% 的组织依赖于易受攻击的软件。然而,我们的经验让我们相信,从宏观的角度来看,这些软件漏洞的影响可能比报告的要小。因此,我们进行了一项研究,以更好地了解 Node.js 应用程序中使用的 npm 易受攻击包的威胁。我们为包中的漏洞定义了三个威胁级别,基于它们的生命周期,如果包漏洞在依赖应用程序 (t) 中使用时隐藏或仍然未知,则将其分配为低威胁级别,如果为中威胁级别,则为该漏洞已在 t 报告但尚未发布,如果在 t 公开宣布,则为高。然后,我们进行了一项涉及 6,673 个真实世界、活跃且成熟的开源 Node.js 应用程序的实证研究。我们的研究结果表明,尽管 67.93% 的受审查应用程序依赖于至少一个易受攻击的包,但这些受影响应用程序中 94.91% 的易受攻击包被归类为低威胁。此外,我们发现对于被归类为高威胁的易受攻击的包,是应用程序缺乏更新使它们易受攻击,也就是说,真正的问题并不是漏洞的存在。此外,我们在应用程序生命周期的不同阶段验证了我们的发现,并发现我们的发现仍然成立。我们的研究认为,当涉及到软件漏洞时,