On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks,arXiv - CS - Software Engineering

当前位置： X-MOL 学术 › arXiv.cs.SE › 论文详情

Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks
arXiv - CS - Software Engineering Pub Date : 2021-06-12 , DOI: arxiv-2106.06747
Ahmed Zerouali, Tom Mens, Alexandre Decan, Coen De Roover

The increasing interest in open source software has led to the emergence of large package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to security vulnerabilities that may expose dependent packages through explicitly declared dependencies. This article empirically studies security vulnerabilities affecting npm and RubyGems packages. We analyse how and when these vulnerabilities are discovered and fixed, and how their prevalence changes over time. We also analyse how vulnerable packages expose their direct and indirect dependents to vulnerabilities. We distinguish between two types of dependents: packages distributed via the package manager, and external GitHub projects. Compared to RubyGems, we observe that the number of vulnerabilities is increasing faster in npm, but vulnerabilities are also discovered faster in npm. For both package distributions, the time required to discover vulnerabilities is increasing, but npm is improving the time needed to fix vulnerabilities. A large proportion of external GitHub projects are exposed to vulnerabilities coming from direct or indirect dependencies. Around one out of three direct vulnerable dependencies to which projects or packages are exposed could be avoided, if software developers would update their dependencies to more recent releases within the same major release range.

中文翻译：

关于 npm 和 RubyGems 依赖网络中安全漏洞的影响

对开源软件日益增长的兴趣导致了可重用软件库的大型包分发的出现，例如 npm 和 RubyGems。这些软件包可能会受到安全漏洞的影响，这些漏洞可能会通过显式声明的依赖关系暴露依赖包。本文实证研究了影响 npm 和 RubyGems 包的安全漏洞。我们分析了这些漏洞是如何以及何时被发现和修复的，以及它们的流行程度如何随时间变化。我们还分析了易受攻击的软件包如何将其直接和间接依赖项暴露给漏洞。我们区分两种类型的依赖项：通过包管理器分发的包和外部 GitHub 项目。与 RubyGems 相比，我们观察到 npm 中的漏洞数量增加得更快，但是在 npm 中发现漏洞的速度也更快。对于这两个包发行版，发现漏洞所需的时间都在增加，但 npm 正在缩短修复漏洞所需的时间。很大一部分外部 GitHub 项目暴露于来自直接或间接依赖项的漏洞。如果软件开发人员将其依赖项更新到同一主要版本范围内的较新版本，则可以避免大约三分之一的项目或包暴露于其中的直接易受攻击的依赖项。很大一部分外部 GitHub 项目暴露于来自直接或间接依赖项的漏洞。如果软件开发人员将其依赖项更新到同一主要版本范围内的较新版本，则可以避免大约三分之一的项目或包暴露于其中的直接易受攻击的依赖项。很大一部分外部 GitHub 项目暴露于来自直接或间接依赖项的漏洞。如果软件开发人员将其依赖项更新到同一主要版本范围内的较新版本，则可以避免大约三分之一的项目或包暴露于其中的直接易受攻击的依赖项。

更新日期：2021-06-15

点击分享查看原文

点击收藏

阅读更多本刊最新论文