Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects

Tan, Xin; Zhang, Yuan; Cao, Jiajun; Sun, Kun; Zhang, Mi; Yang, Min

doi:10.1145/3485447.3512236

Cited by 5 publications

(4 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fitzgerald et al [33] proposed a knowledge flow graph that connects libraries, files, projects, authors, and code instances together to measure the multi-facet Free/libre open source ecosystem. Tan et al [44] found that over 80% of affected CVE-Branch pairs remained unpatched in OSS projects. Xu et al [49] studied CLV issues in PyPI and Maven ecosystems, identifying 82, 951 projects dependent on vulnerable C project versions.…”

Section: Related Workmentioning

confidence: 99%

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Hu,

Zhang,

Liu

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

Open-source software (OSS) greatly facilitates program development for developers. However, the high number of vulnerabilities in open-source software is a major concern, including in Golang, a relatively new programming language. In contrast to other commonly used OSS package managers, Golang presents a distinctive feature whereby commits are prevalently used as dependency versions prior to their integration into official releases. This attribute can prove advantageous to users, as patch commits can be implemented in a timely manner before the releases. However, Golang employs a decentralized mechanism for managing dependencies, whereby dependencies are upheld and distributed in separate repositories. This approach can result in delays in the dissemination of patches and unresolved vulnerabilities.To tackle the aforementioned concern, a comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang, commencing from its introduction and culminating with its rectification. To this end, a framework was established by gathering data from diverse sources and systematically amalgamating them with an algorithm to compute the lags in vulnerability patching. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. Within the vulnerability life cycle, we found two kinds of lag impeding the propagation of vulnerability fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.

show abstract

Section: Related Workmentioning

confidence: 99%

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Hu,

Zhang,

Liu

et al. 2024

Proceedings of the IEEE/ACM 46th International Conference on Software Engineering

View full text Add to dashboard Cite

show abstract

“…Goggins et al [3] conducted a four-year research study and provide insight into the work of the CHAOSS project, including both the metrics used as well as the open-source implementation Augur. 6 Since they elaborate on the OSS community's as well as other stakeholders' opinions (collected during their field study) regarding suitable definitions of health and sustainability, their work might prove useful for selecting and adapting our own metrics.…”

Section: Related Workmentioning

confidence: 99%

“…Various research articles [1,6] focus on the collection and provision of security-related metrics and information on open-source projects. Although the health of OSS projects comprises several different aspects, security is a vital part, affecting both integrity and sustainability.…”

Section: Related Workmentioning

confidence: 99%

Towards a Critical Open-Source Software Database

Dam

Klausner

Neumaier

2023

Companion Proceedings of the ACM Web Conference 2023

View full text Add to dashboard Cite

Open-source software (OSS) plays a vital role in the modern software ecosystem. However, the maintenance and sustainability of OSS projects can be challenging. In this paper, we present the CrOSSD project, which aims to build a database of OSS projects and measure their current project "health" status. In the project, we will use both quantitative and qualitative metrics to evaluate the health of OSS projects. The quantitative metrics will be gathered through automated crawling of meta information such as the number of contributors, commits and lines of code. Qualitative metrics will be gathered for selected "critical" projects through manual analysis and automated tools, including aspects such as sustainability, funding, community engagement and adherence to security policies. The results of the analysis will be presented on a user-friendly web platform, which will allow users to view the health of individual OSS projects as well as the overall health of the OSS ecosystem. With this approach, the CrOSSD project provides a comprehensive and up-to-date view of the health of OSS projects, making it easier for developers, maintainers and other stakeholders to understand the health of OSS projects and make informed decisions about their use and maintenance. CCS CONCEPTS• Software and its engineering → Software libraries and repositories; Open source model; • Security and privacy → Software and application security.

show abstract

“…The detection and reporting of vulnerabilities and threats in open-source software has been the subject of extensive research for several years already [6]- [8]. In a recent paper, Tan et al report the deployment of security patches on stable branches of open-source projects [9]. Similar to our approach, the authors map CVE entries based on the name of an opensource package.…”

Section: Related Workmentioning

confidence: 99%

Challenges of mapping Vulnerabilities and Exposures to Open-Source Packages

Dam¹,

Neumaier²

2022

Preprint

View full text Add to dashboard Cite

Much of the current software depends on open-source components, which in turn have complex dependencies on other open-source libraries. Vulnerabilities in open source therefore have potentially huge impacts. The goal of this work is to get a quantitative overview of the frequency and evolution of existing vulnerabilities in popular software repositories and package managers. To this end, we provide an up-to-date overview of the open source landscape and its most popular package managers. We discuss approaches to map entries of the Common Vulnerabilities and Exposures (CVE) list to open-source libraries. Based on this mapping approaches, we show the frequency and distribution of CVE entries with respect to popular programming languages.

show abstract

Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects

Cited by 5 publications

References 15 publications

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Towards a Critical Open-Source Software Database

Challenges of mapping Vulnerabilities and Exposures to Open-Source Packages

Contact Info

Product

Resources

About