ABSTRACT
Security vulnerabilities are among the most pressing problems in open source software package libraries. It may take a long time to discover and fix vulnerabilities in packages. In addition, vulnerabilities may propagate to dependent packages, making them vulnerable too. This paper presents an empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages. Taking into account the severity of vulnerabilities, we analyse how and when these vulnerabilities are discovered and fixed, and to which extent they affect other packages in the packaging ecosystem in presence of dependency constraints. We report our findings and provide guidelines for package maintainers and tool developers to improve the process of dealing with security issues.
- O. Aalen, O. Borgan, and H. Gjessing. 2008. Survival and Event History Analysis: A Process Point of View. Springer.Google Scholar
- R. Abdalkareem, O. Nourry, S. Wehaibi, S. Mujahid, and E. Shihab. 2017. Why do developers use trivial packages? An empirical case study on npm. In Joint Meeting on Foundations of Software Engineering (ESEC/FSE). 385--395. Google ScholarDigital Library
- P. Bisht, M. Heim, M. Ifland, M. Scovetta, and T. Skinner. 2017. Managing Security Risks Inherent in the Use of Third-party Components. (2017). Executive Information Systems, Inc., White Paper No. Eleven.Google Scholar
- C. Bogart, C. Kästner, J. Herbsleb, and F. Thung. 2016. How to Break an API: Cost Negotiation and Community Values in Three Software Ecosystems. In Int'l Symp. Foundations of Software Engineering. Google ScholarDigital Library
- M. Cadariu, E. Bouwers, J. Visser, and A. van Deursen. 2015. Tracking known security vulnerabilities in proprietary software systems. In Int'l Conf. Software Analysis, Evolution, and Reengineering. 516--519.Google Scholar
- F. Camilo, A. Meneely, and M. Nagappan. 2015. Do Bugs Foreshadow Vulnerabilities? A Study of the Chromium Project. In Working Conf. Mining Software Repositories. 269--279. Google ScholarDigital Library
- J. Cox, E. Bouwers, M. van Eekelen, and J. Visser. 2015. Measuring Dependency Freshness in Software Systems. In Int'l Conf. Software Engineering. IEEE Press, 109--118. Google ScholarDigital Library
- A. Decan, T. Mens, and M. Claes. 2016. On the Topology of Package Dependency Networks --- A Comparison of Three Programming Language Ecosystems. In European Conf. Software Architecture Workshops. ACM. Google ScholarDigital Library
- A. Decan, T. Mens, and M. Claes. 2017. An empirical comparison of dependency issues in OSS packaging ecosystems. In Int'l Conf. Software Analysis, Evolution, and Reengineering. 2--12.Google Scholar
- Alexandre Decan, Tom Mens, and Philippe Grosjean. 2018. An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empirical Software Engineering (10 Feb 2018).Google Scholar
- E. Derr, S. Bugiel, S. Fahl, Y. Acar, and M. Backes. 2017. Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android. In ACM Conf. on Computer and Communications Security. Google ScholarDigital Library
- Z. Durumeric, F. Li, J. Kasten, J. Amann, J. Beekman, M. Payer, N. Weaver, D. Adrian, V. Paxson, M. Bailey, and J. A. Halderman. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, New York, NY, USA, 475--488. Google ScholarDigital Library
- J.I. Hejderup. 2015. In Dependencies We Trust: How vulnerable are dependencies in software modules? Master's thesis. Delft University of Technology.Google Scholar
- E. L. Kaplan and P. Meier. 2012. Nonparametric Estimation from Incomplete Observations. J. American Statistical Association 53, 282 (2012), 457--481.Google ScholarCross Ref
- R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue. 2017. Do developers update their library dependencies? Empirical Software Engineering (11 May 2017). Google ScholarDigital Library
- T. Lauinger, A. Chaabane, W. Robertson, C. Wilson, and E. Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In ISOC Network and Distributed System Security Symposium.Google Scholar
- F. Massacci, S. Neuhaus, and V. H. Nguyen. 2011. After-life Vulnerabilities: A Study on Firefox Evolution, Its Vulnerabilities, and Fixes. In Proceedings of the Third International Conference on Engineering Secure Software and Systems (ESSoS'11). Springer-Verlag, Berlin, Heidelberg, 195--208. http://dl.acm.org/citation.cfm?id=1946341.1946361 Google ScholarDigital Library
- F. Massacci and V. H. Nguyen. 2010. Which is the Right Source for Vulnerability Studies?: An Empirical Analysis on Mozilla Firefox. In Proceedings of the 6th International Workshop on Security Measurements and Metrics (MetriSec '10). ACM. Google ScholarDigital Library
- A. Nesbitt and B. Nickolls. 2017. Libraries.io Open Source Repository and Dependency Metadata. (June 2017).Google Scholar
- M. Di Penta, L. Cerulo, and L. Aversano. 2009. The life and death of statically detected vulnerabilities: An empirical study. Information and Software Technology 51, 10 (2009), 1469 -- 1484. Google ScholarDigital Library
- N. H. Pham, T. T. Nguyen, H. A. Nguyen, and T. N. Nguyen. 2010. Detection of Recurring Software Vulnerabilities. In Proceedings of the IEEE/ACM International Conference on Automated Software Engineering (ASE '10). ACM, New York, NY, USA, 447--456. Google ScholarDigital Library
- snyk. 2017. The State of Open Source Security. https://snyk.io/stateofossecurity/. (November 2017).Google Scholar
- H. H. Thompson. 2003. Why security testing is hard. IEEE Security Privacy 1, 4 (July 2003), 83--86. Google ScholarDigital Library
- J. Williams and A. Dabirsiaghi. 2014. The Unfortunate Reality of Insecure Libraries. White Paper. Contrast Security.Google Scholar
- E. Wittern, P. Suter, and S. Rajagopalan. 2016. A Look at the Dynamics of the JavaScript Package Ecosystem. In Int'l Conf. Mining Software Repositories. ACM, 351--361. Google ScholarDigital Library
Recommendations
An empirical comparison of dependency network evolution in seven software packaging ecosystems
Nearly every popular programming language comes with one or more package managers. The software packages distributed by such package managers form large software ecosystems. These packaging ecosystems contain a large number of package releases that are ...
Präzi: from package-based to call-based dependency networks
AbstractModern programming languages such as Java, JavaScript, and Rust encourage software reuse by hosting diverse and fast-growing repositories of highly interdependent packages (i.e., reusable libraries) for their users. The standard way to study the ...
On the impact of security vulnerabilities in the npm and RubyGems dependency networks
AbstractThe increasing interest in open source software has led to the emergence of large language-specific package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to vulnerabilities that may ...
Comments