Towards Measuring Vulnerabilities and Exposures in Open-Source Packages
- URL: http://arxiv.org/abs/2206.14527v2
- Date: Tue, 9 May 2023 11:09:14 GMT
- Title: Towards Measuring Vulnerabilities and Exposures in Open-Source Packages
- Authors: Tobias Dam and Sebastian Neumaier
- Abstract summary: We provide an up-to-date overview of the open source landscape.
We discuss approaches to map entries of the Common Vulnerabilities and Exposures ( CVE) list to open-source libraries.
We show the frequency and distribution of existing CVE entries with respect to popular programming languages.
- Score: 0.0
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Much of the current software depends on open-source components, which in turn
have complex dependencies on other open-source libraries. Vulnerabilities in
open source therefore have potentially huge impacts. The goal of this work is
to get a quantitative overview of the frequency and evolution of existing
vulnerabilities in popular software repositories and package managers. To this
end, we provide an up-to-date overview of the open source landscape and its
most popular package managers, we discuss approaches to map entries of the
Common Vulnerabilities and Exposures (CVE) list to open-source libraries and we
show the frequency and distribution of existing CVE entries with respect to
popular programming languages.
Related papers
- Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries.
The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
arXiv Detail & Related papers (2024-09-27T16:20:20Z) - Unicorns Do Not Exist: Employing and Appreciating Community Managers in Open Source [0.0]
Despite playing a crucial role in maintaining open-source software, community managers are often overlooked.
We suggest methods to overcome this by stressing the need for the specialisation of roles.
Following these guidelines can allow this vital role to be treated with the transparency and respect that it deserves.
arXiv Detail & Related papers (2024-06-29T07:23:53Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies [3.6840775431698893]
Open-source software (OSS) supply chain security has become a topic of concern for organizations.
Patching an OSS vulnerability can require updating other dependent software products in addition to the original package.
We do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed.
arXiv Detail & Related papers (2024-04-17T21:44:38Z) - A Landscape Study of Open Source and Proprietary Tools for Software Bill
of Materials (SBOM) [3.1190983209295076]
Software Bill of Materials (SBOM) is a repository that inventories all third-party components and dependencies used in an application.
Recent supply chain breaches underscore the urgent need to enhance software security and vulnerability risks.
This research paper conducts an empirical analysis to assess the current landscape of open-source and proprietary tools related to SBOM.
arXiv Detail & Related papers (2024-02-17T00:36:20Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - Code Librarian: A Software Package Recommendation System [65.05559087332347]
We present a recommendation engine called Librarian for open source libraries.
A candidate library package is recommended for a given context if: 1) it has been frequently used with the imported libraries in the program; 2) it has similar functionality to the imported libraries in the program; 3) it has similar functionality to the developer's implementation, and 4) it can be used efficiently in the context of the provided code.
arXiv Detail & Related papers (2022-10-11T12:30:05Z) - Underproduction: An Approach for Measuring Risk in Open Source Software [9.701036831490766]
'Underproduction' occurs when the supply of software engineering labor becomes out of alignment with the demand of people who rely on the software produced.
We present a conceptual framework for identifying relative underproduction in software as well as a statistical method for applying our framework to a comprehensive dataset.
arXiv Detail & Related papers (2021-02-27T23:18:21Z) - Towards Utility-based Prioritization of Requirements in Open Source
Environments [51.65930505153647]
We show how utility-based prioritization approaches can be used to support contributors in conventional and open source Requirements Engineering scenarios.
As an example, we show how dependencies can be taken into account in utility-based prioritization processes.
arXiv Detail & Related papers (2021-02-17T09:05:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.