Out of sight, out of mind? How vulnerable dependencies affect open-source projects,Empirical Software Engineering

当前位置： X-MOL 学术 › Empir. Software Eng. › 论文详情

Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)

Out of sight, out of mind? How vulnerable dependencies affect open-source projects
Empirical Software Engineering ( IF 3.5 ) Pub Date : 2021-04-21 , DOI: 10.1007/s10664-021-09959-3
Gede Artha Azriadi Prana , Abhishek Sharma , Lwin Khin Shar , Darius Foo , Andrew E. Santosa , Asankhaya Sharma , David Lo

Context

Software developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in recent years. As usage of open-source libraries grows, understanding of these dependency vulnerabilities becomes increasingly important.

Objective

In this work, we analyze vulnerabilities in open-source libraries used by 450 software projects written in Java, Python, and Ruby. Our goal is to examine types, distribution, severity, and persistence of the vulnerabilities, along with relationships between their prevalence and project as well as commit attributes.

Method

Our data is obtained by scanning versions of the sample projects after each commit made between November 1, 2017 and October 31, 2018 using an industrial software composition analysis tool, which provides information such as library names and versions, dependency types (direct or transitive), and known vulnerabilities.

Results

Among other findings, we found that project activity level, popularity, and developer experience do not translate into better or worse handling of dependency vulnerabilities. We also found “Denial of Service” and “Information Disclosure” types of vulnerabilities being common across the languages studied. Further, we found that most dependency vulnerabilities persist throughout the observation period (mean of 78.4%, 97.7%, and 66.4% for publicly-known vulnerabilities in our Java, Python, and Ruby datasets respectively), and the resolved ones take 3-5 months to fix.

Conclusion

Our results highlight the importance of managing the number of dependencies and performing timely updates, and indicate some areas that can be prioritized to improve security in wide range of projects, such as prevention and mitigation of Denial-of-Service attacks.

中文翻译：

眼不见，心不烦？脆弱的依赖关系如何影响开源项目

语境

软件开发人员经常在他们的项目中使用开源库来提高开发速度。但是，此类库可能包含安全漏洞，并且近年来导致了几起备受关注的事件。随着开放源代码库使用的增长，对这些依赖项漏洞的了解变得越来越重要。

客观的

在这项工作中，我们分析了用Java，Python和Ruby编写的450个软件项目所使用的开源库中的漏洞。我们的目标是检查漏洞的类型，分布，严重性和持久性，以及漏洞的普遍性与项目以及提交属性之间的关系。

方法

我们的数据是通过使用工业软件组成分析工具在2017年11月1日至2018年10月31日之间进行的每次提交后扫描示例项目的版本而获得的，该工具提供了诸如库名和版本，依赖项类型（直接或传递）之类的信息，以及已知的漏洞。

结果

在其他发现中，我们发现项目活动的水平，受欢迎程度和开发人员的经验并没有转化为对依赖漏洞的更好或更坏的处理。我们还发现，在所研究的语言中，“拒绝服务”和“信息披露”类型的漏洞很常见。此外，我们发现大多数依赖项漏洞在整个观察期内持续存在（在我们的Java，Python和Ruby数据集中，公共漏洞的平均值分别为78.4％，97.7％和66.4％），而已解决的漏洞耗时3-5几个月修复。