Vulnerability Propagation in Package Managers Used in iOS Development
- URL: http://arxiv.org/abs/2305.10339v1
- Date: Wed, 17 May 2023 16:22:38 GMT
- Title: Vulnerability Propagation in Package Managers Used in iOS Development
- Authors: Kristiina Rahkema, Dietmar Pfahl
- Abstract summary: Vulnerabilities may be found even in well-known libraries.
The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager.
Although most libraries with publicly reported vulnerabilities are written in C, the highest impact of publicly reported vulnerabilities originated from libraries written in native iOS languages.
- Score: 2.9280059958992286
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Although using third-party libraries is common practice when writing
software, vulnerabilities may be found even in well-known libraries. Detected
vulnerabilities are often fixed quickly in the library code. The easiest way to
include these fixes in a dependent software application, is to update the used
library version. Package managers provide automated solutions for updating
library dependencies. However, library dependencies can have dependencies to
other libraries resulting in a dependency network with several levels of
indirections. Assessing vulnerability risks induced by dependency networks is a
non-trivial task for software developers. The library dependency network in the
Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift
Package Manager. We analysed how vulnerabilities propagate in the library
dependency network of the Swift ecosystem, how vulnerable dependencies could be
fixed via dependency upgrades, and if third party vulnerability analysis could
be made more precise given public information on these vulnerabilities. We
found that only 5.9% of connected libraries had a direct or transitive
dependency to a vulnerable library. Although we found that most libraries with
publicly reported vulnerabilities are written in C, the highest impact of
publicly reported vulnerabilities originated from libraries written in native
iOS languages. We found that around 30% of vulnerable dependencies could have
been fixed via upgrading the library dependency. In case of critical
vulnerabilities and latest library versions, over 70% of vulnerable
dependencies would have been fixed via a dependency upgrade. Lastly, we checked
whether the analysis of vulnerable dependency use could be refined using
publicly available information on the code location (method or class) of a
reported vulnerability. We found that such information is not available most of
the time.
Related papers
- Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - A Preliminary Study on Self-Contained Libraries in the NPM Ecosystem [2.221643499902673]
The widespread of libraries within modern software ecosystems creates complex networks of dependencies.
One mitigation strategy involves reducing dependencies; libraries with zero dependencies become to self-contained.
This paper explores the characteristics of self-contained libraries within the NPM ecosystem.
arXiv Detail & Related papers (2024-06-17T09:33:49Z) - Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries [91.97201077607862]
Industrial applications heavily rely on open-source software (OSS) libraries, which provide various benefits.
To monitor the activities of such communities, a comprehensive list of repositories for the libraries of an ecosystem must be accessible.
In this study, we analyze the accessibility of GitHub repositories for PyPI and NPM libraries.
arXiv Detail & Related papers (2024-04-26T13:27:04Z) - Dependency Practices for Vulnerability Mitigation [4.710141711181836]
We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable.
We identify over 200,000 npm packages that are infected through their dependencies.
We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
arXiv Detail & Related papers (2023-10-11T19:48:46Z) - Identifying Vulnerable Third-Party Java Libraries from Textual
Descriptions of Vulnerabilities and Libraries [15.573551625937556]
VulLibMiner is first to identify vulnerable libraries from textual descriptions of both vulnerabilities and libraries.
We evaluate VulLibMiner using four state-of-the-art/practice approaches of identifying vulnerable libraries on both their dataset named VeraJava and our VulLib dataset.
arXiv Detail & Related papers (2023-07-17T02:54:07Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Analysis of Library Dependency Networks of Package Managers Used in iOS
Development [3.46067608522128]
The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager (PM)
Although CocoaPods is the package manager with the biggest set of libraries, the difference to other package managers is not as big as expected.
Swift PM is becoming more and more popular, resulting in a gradual slow-down of the growth of the other two package managers.
arXiv Detail & Related papers (2023-05-18T12:14:19Z) - SequeL: A Continual Learning Library in PyTorch and JAX [50.33956216274694]
SequeL is a library for Continual Learning that supports both PyTorch and JAX frameworks.
It provides a unified interface for a wide range of Continual Learning algorithms, including regularization-based approaches, replay-based approaches, and hybrid approaches.
We release SequeL as an open-source library, enabling researchers and developers to easily experiment and extend the library for their own purposes.
arXiv Detail & Related papers (2023-04-21T10:00:22Z) - Code Librarian: A Software Package Recommendation System [65.05559087332347]
We present a recommendation engine called Librarian for open source libraries.
A candidate library package is recommended for a given context if: 1) it has been frequently used with the imported libraries in the program; 2) it has similar functionality to the imported libraries in the program; 3) it has similar functionality to the developer's implementation, and 4) it can be used efficiently in the context of the provided code.
arXiv Detail & Related papers (2022-10-11T12:30:05Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.