Out of sight, out of mind? How vulnerable dependencies affect open-source projects

Prana, Gede Artha Azriadi; Sharma, Abhishek; Shar, Lwin Khin; Foo, Darius; Santosa, Andrew E.; Sharma, Asankhaya; Lo, David

doi:10.1007/s10664-021-09959-3

Cited by 32 publications

(8 citation statements)

References 57 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, patching may not be as effective as removal. Scholars have found that developers are often tardy at updating SDR because of dependency complexity and passive legacy function management (Alfadel et al, 2023; Kula et al, 2018; Prana et al, 2021).…”

Section: Hypothesis Developmentmentioning

confidence: 99%

Vulnerability diffusions in software product networks

Kang

Templeton

2023

J of Ops Management

View full text Add to dashboard Cite

During software product development, the combination of digital resources (such as application programming interfaces and software development kits) establishes loose and tight edges between nodes, which form a software product network (SPN). These edges serve as observable conduits that may help practitioners and researchers better understand how vulnerabilities diffuse through SPNs. We apply network theory to analyze data from over 12 years of records extracted from the National Vulnerability Database. We contribute novel measures established using machine learning to gauge the properties influencing vulnerability diffusion within an SPN. We observed an SPN having a discernable shape that changed over time via network updates. We propose hypotheses and find empirical evidence that vulnerability diffusion is influenced by edge dynamics, developer responses, and their interaction. Implications for practice are that increased developer responses reduce software vulnerability diffusion attributed to edge dynamics.

show abstract

Section: Hypothesis Developmentmentioning

confidence: 99%

Vulnerability diffusions in software product networks

Kang

Templeton

2023

J of Ops Management

View full text Add to dashboard Cite

show abstract

“…Several tools [11][12][13][14] have been proposed to address dependency conflicts and redundant dependencies in Python programs and Jar files. Li et al and Prana et al [15,16] studied dependency conflicts and dependency vulnerability respectively. To our knowledge, only Ye [2] paid attention to the build dependency and provides a way to sort the build order of source packages of Linux distributions.…”

Section: General Dependency (Gd)mentioning

confidence: 99%

A Case Study of Dependency Network for Building Packages: The Fedora Linux Distribution

Du,

Zhu,

et al. 2023

International Conferences on Software Engineering and Knowledge Engineering

View full text Add to dashboard Cite

To port the Linux distributions to a new Instruction Set Architecture (ISA), developers have to rebuild the software packages of the distributions. The complex dependencies of the software packages bring a great challenge. It is important to understand and properly handle the dependencies. We selected Fedora, a typical Linux distribution, and studied the dependencies within the software repositories of aarch64 and x86_64 architecture. We proposed a package dependency network framework to study the roles played by different packages. We obtained three network dependency patterns and proposed the corresponding division strategies which help developer build the source packages in parallel. Our study reveals that the key packages located at the root of multiple dependency chains significantly impact the division of the network, and their builds should be prioritized. Meanwhile, some packages with external dependencies can be temporarily masked to make a sub-network independent. Furthermore, the network dependency patterns are also observed in Fedora 33 riscv64 and OpenEuler riscv64. Our findings can help researchers have a better knowledge of Linux distribution dependency network and help practitioners conduct efficient package builds.

show abstract

“…Many existing works and tools have been proposed to demystify the impact of TPL vulnerabilities in different ecosystems. Some researchers [26,38,39,41] investigate the vulnerability impact and their life spans from the perspective of ecosystems, some researchers [31,34,35,42,50] conduct empirical studies on technical lags from the perspective of user projects (i.e., the delays of upgrading vulnerable dependencies). Tools like SCA (Software Composition Analysis) [24] are also proposed to identify TPL vulnerabilities in user projects.…”

Section: Introductionmentioning

confidence: 99%

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Hu,

Zhang,

Liu

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

Open-source software (OSS) greatly facilitates program development for developers. However, the high number of vulnerabilities in open-source software is a major concern, including in Golang, a relatively new programming language. In contrast to other commonly used OSS package managers, Golang presents a distinctive feature whereby commits are prevalently used as dependency versions prior to their integration into official releases. This attribute can prove advantageous to users, as patch commits can be implemented in a timely manner before the releases. However, Golang employs a decentralized mechanism for managing dependencies, whereby dependencies are upheld and distributed in separate repositories. This approach can result in delays in the dissemination of patches and unresolved vulnerabilities.To tackle the aforementioned concern, a comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang, commencing from its introduction and culminating with its rectification. To this end, a framework was established by gathering data from diverse sources and systematically amalgamating them with an algorithm to compute the lags in vulnerability patching. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. Within the vulnerability life cycle, we found two kinds of lag impeding the propagation of vulnerability fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.

show abstract

Out of sight, out of mind? How vulnerable dependencies affect open-source projects

Cited by 32 publications

References 57 publications

Vulnerability diffusions in software product networks

Vulnerability diffusions in software product networks

A Case Study of Dependency Network for Building Packages: The Fedora Linux Distribution

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Contact Info

Product

Resources

About