Out of sight, out of mind? How vulnerable dependencies affect open-source projects
Context: Software developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in re- cent years. As usage of open-source libraries grows, understanding...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2021
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/6048 https://ink.library.smu.edu.sg/context/sis_research/article/7053/viewcontent/sourceclear___journal_2020_11_29.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-7053 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-70532023-07-19T07:39:41Z Out of sight, out of mind? How vulnerable dependencies affect open-source projects PRANA, Gede Artha Azriadi SHARMA, Abhishek SHAR, Lwin Khin FOO, Darius SANTOSA, Andrew E. SHARMA, Asankhaya LO, David Context: Software developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in re- cent years. As usage of open-source libraries grows, understanding of these dependency vulnerabilities becomes increasingly important. Objective: In this work, we analyze vulnerabilities in open-source libraries used by 450 software projects written in Java, Python, and Ruby. Our goal is to examine types, distribution, severity, and persistence of the vulnerabili- ties, along with relationships between their prevalence and project as well as commit attributes. Method: Our data is obtained by scanning versions of the sample projects after each commit made between November 1, 2017 and October 31, 2018 using an industrial software composition analysis tool, which provides information such as library names and versions, dependency types (direct or transitive), and known vulnerabilities. Results: Among other findings, we found that project activity level, popu- larity, and developer experience do not translate into better or worse han- dling of dependency vulnerabilities. We also found “Denial of Service” and “Information Disclosure” types of vulnerabilities being common across the languages studied. Further, we found that most dependency vulnerabilities persist throughout the observation period (mean of 78.4%, 97.7%, and 66.4% for publicly-known vulnerabilities in our Java, Python, and Ruby datasets respectively), and the resolved ones take 3-5 months to fix. Conclusion: Our results highlight the importance of managing the number of dependencies and performing timely updates, and indicate some areas that can be prioritized to improve security in wide range of projects, such as prevention and mitigation of Denial-of-Service attacks. 2021-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6048 info:doi/10.1007/s10664-021-09959-3 https://ink.library.smu.edu.sg/context/sis_research/article/7053/viewcontent/sourceclear___journal_2020_11_29.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Empirical Study Security Software Composition Analysis Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Empirical Study Security Software Composition Analysis Software Engineering |
| spellingShingle |
Empirical Study Security Software Composition Analysis Software Engineering PRANA, Gede Artha Azriadi SHARMA, Abhishek SHAR, Lwin Khin FOO, Darius SANTOSA, Andrew E. SHARMA, Asankhaya LO, David Out of sight, out of mind? How vulnerable dependencies affect open-source projects |
| description |
Context: Software developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in re- cent years. As usage of open-source libraries grows, understanding of these dependency vulnerabilities becomes increasingly important. Objective: In this work, we analyze vulnerabilities in open-source libraries used by 450 software projects written in Java, Python, and Ruby. Our goal is to examine types, distribution, severity, and persistence of the vulnerabili- ties, along with relationships between their prevalence and project as well as commit attributes. Method: Our data is obtained by scanning versions of the sample projects after each commit made between November 1, 2017 and October 31, 2018 using an industrial software composition analysis tool, which provides information such as library names and versions, dependency types (direct or transitive), and known vulnerabilities. Results: Among other findings, we found that project activity level, popu- larity, and developer experience do not translate into better or worse han- dling of dependency vulnerabilities. We also found “Denial of Service” and “Information Disclosure” types of vulnerabilities being common across the languages studied. Further, we found that most dependency vulnerabilities persist throughout the observation period (mean of 78.4%, 97.7%, and 66.4% for publicly-known vulnerabilities in our Java, Python, and Ruby datasets respectively), and the resolved ones take 3-5 months to fix. Conclusion: Our results highlight the importance of managing the number of dependencies and performing timely updates, and indicate some areas that can be prioritized to improve security in wide range of projects, such as prevention and mitigation of Denial-of-Service attacks. |
| format |
text |
| author |
PRANA, Gede Artha Azriadi SHARMA, Abhishek SHAR, Lwin Khin FOO, Darius SANTOSA, Andrew E. SHARMA, Asankhaya LO, David |
| author_facet |
PRANA, Gede Artha Azriadi SHARMA, Abhishek SHAR, Lwin Khin FOO, Darius SANTOSA, Andrew E. SHARMA, Asankhaya LO, David |
| author_sort |
PRANA, Gede Artha Azriadi |
| title |
Out of sight, out of mind? How vulnerable dependencies affect open-source projects |
| title_short |
Out of sight, out of mind? How vulnerable dependencies affect open-source projects |
| title_full |
Out of sight, out of mind? How vulnerable dependencies affect open-source projects |
| title_fullStr |
Out of sight, out of mind? How vulnerable dependencies affect open-source projects |
| title_full_unstemmed |
Out of sight, out of mind? How vulnerable dependencies affect open-source projects |
| title_sort |
out of sight, out of mind? how vulnerable dependencies affect open-source projects |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2021 |
| url |
https://ink.library.smu.edu.sg/sis_research/6048 https://ink.library.smu.edu.sg/context/sis_research/article/7053/viewcontent/sourceclear___journal_2020_11_29.pdf |
| _version_ |
1772829244882157568 |