Lessons from the Long Tail: Analysing Unsafe Dependency Updates across
Software Ecosystems
- URL: http://arxiv.org/abs/2309.04197v1
- Date: Fri, 8 Sep 2023 08:17:09 GMT
- Title: Lessons from the Long Tail: Analysing Unsafe Dependency Updates across
Software Ecosystems
- Authors: Supatsara Wattanakriengkrai, Raula Gaikovina Kula, Christoph Treude,
Kenichi Matsumoto
- Abstract summary: We present preliminary data based on three representative samples from a population of 88,416 pull requests (PRs)
We identify unsafe dependency updates (i.e., any pull request that risks being unsafe during runtime)
This includes developing best practises to address unsafe dependency updates not only in top-tier libraries but throughout the ecosystem.
- Score: 11.461455369774765
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: A risk in adopting third-party dependencies into an application is their
potential to serve as a doorway for malicious code to be injected (most often
unknowingly). While many initiatives from both industry and research
communities focus on the most critical dependencies (i.e., those most depended
upon within the ecosystem), little is known about whether the rest of the
ecosystem suffers the same fate. Our vision is to promote and establish safer
practises throughout the ecosystem. To motivate our vision, in this paper, we
present preliminary data based on three representative samples from a
population of 88,416 pull requests (PRs) and identify unsafe dependency updates
(i.e., any pull request that risks being unsafe during runtime), which clearly
shows that unsafe dependency updates are not limited to highly impactful
libraries. To draw attention to the long tail, we propose a research agenda
comprising six key research questions that further explore how to safeguard
against these unsafe activities. This includes developing best practises to
address unsafe dependency updates not only in top-tier libraries but throughout
the entire ecosystem.
Related papers
- SafeMLRM: Demystifying Safety in Multi-modal Large Reasoning Models [50.34706204154244]
Acquiring reasoning capabilities catastrophically degrades inherited safety alignment.
Certain scenarios suffer 25 times higher attack rates.
Despite tight reasoning-answer safety coupling, MLRMs demonstrate nascent self-correction.
arXiv Detail & Related papers (2025-04-09T06:53:23Z) - Out of Sight, Still at Risk: The Lifecycle of Transitive Vulnerabilities in Maven [0.3670008893193884]
Transitive vulnerabilities that arise from indirect dependencies expose projects to risks associated with Common Vulnerabilities and Exposures.
We employ survival analysis to measure the time projects remain exposed after a CVE is introduced.
Using a large dataset of Maven projects, we identify factors that influence the resolution of these vulnerabilities.
arXiv Detail & Related papers (2025-04-07T07:54:15Z) - Faster Releases, Fewer Risks: A Study on Maven Artifact Vulnerabilities and Lifecycle Management [0.14999444543328289]
We analyze the release histories of 10,000 Maven artifacts, covering over 203,000 releases and 1.7 million dependencies.
Our results show an inverse relationship between release speed and dependency outdatedness.
These findings emphasize the importance of accelerated release strategies in reducing security risks.
arXiv Detail & Related papers (2025-03-31T17:32:45Z) - Decoding Dependency Risks: A Quantitative Study of Vulnerabilities in the Maven Ecosystem [1.5499426028105905]
This study investigates vulnerabilities within the Maven ecosystem by analyzing a comprehensive dataset of 14,459,139 releases.
We show risky weaknesses, those unique to Maven, and emphasize those becoming increasingly dangerous over time.
Our findings suggest that improper handling of input and mismanagement of resources pose the most risk.
arXiv Detail & Related papers (2025-03-28T04:16:46Z) - Pinning Is Futile: You Need More Than Local Dependency Versioning to Defend against Supply Chain Attacks [23.756533975349985]
Recent high-profile incidents in open-source software have raised practitioner attention on software supply chain attacks.
Security practitioners advocate pinning dependency to specific versions rather than floating in version ranges.
We quantify, through counterfactual analysis and simulations, the security and maintenance impact of version constraints in the npm ecosystem.
arXiv Detail & Related papers (2025-02-10T16:50:48Z) - Forecasting the risk of software choices: A model to foretell security vulnerabilities from library dependencies and source code evolution [4.538870924201896]
We introduce a model capable of vulnerability forecasting at library level.
Our model can estimate the probability that a software project faces a CVE disclosure in a future time window.
arXiv Detail & Related papers (2024-11-17T23:36:27Z) - On Security Weaknesses and Vulnerabilities in Deep Learning Systems [32.14068820256729]
We specifically look into deep learning (DL) framework and perform the first systematic study of vulnerabilities in DL systems.
We propose a two-stream data analysis framework to explore vulnerability patterns from various databases.
We conducted a large-scale empirical study of 3,049 DL vulnerabilities to better understand the patterns of vulnerability and the challenges in fixing them.
arXiv Detail & Related papers (2024-06-12T23:04:13Z) - See to Believe: Using Visualization To Motivate Updating Third-party Dependencies [1.7914660044009358]
Security vulnerabilities introduced by applications using third-party dependencies are on the increase.
Developers are wary of library updates, even to fix vulnerabilities, citing that being unaware, or that the migration effort to update outweighs the decision.
In this paper, we hypothesize that the dependency graph visualization (DGV) approach will motivate developers to update.
arXiv Detail & Related papers (2024-05-15T03:57:27Z) - A Survey of Third-Party Library Security Research in Application Software [3.280510821619164]
With the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent.
Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information.
Research on third-party libraries in software becomes paramount to address this growing security challenge.
arXiv Detail & Related papers (2024-04-27T16:35:02Z) - PsySafe: A Comprehensive Framework for Psychological-based Attack, Defense, and Evaluation of Multi-agent System Safety [70.84902425123406]
Multi-agent systems, when enhanced with Large Language Models (LLMs), exhibit profound capabilities in collective intelligence.
However, the potential misuse of this intelligence for malicious purposes presents significant risks.
We propose a framework (PsySafe) grounded in agent psychology, focusing on identifying how dark personality traits in agents can lead to risky behaviors.
Our experiments reveal several intriguing phenomena, such as the collective dangerous behaviors among agents, agents' self-reflection when engaging in dangerous behavior, and the correlation between agents' psychological assessments and dangerous behaviors.
arXiv Detail & Related papers (2024-01-22T12:11:55Z) - Safeguarded Progress in Reinforcement Learning: Safe Bayesian
Exploration for Control Policy Synthesis [63.532413807686524]
This paper addresses the problem of maintaining safety during training in Reinforcement Learning (RL)
We propose a new architecture that handles the trade-off between efficient progress and safety during exploration.
arXiv Detail & Related papers (2023-12-18T16:09:43Z) - Dependency Practices for Vulnerability Mitigation [4.710141711181836]
We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable.
We identify over 200,000 npm packages that are infected through their dependencies.
We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
arXiv Detail & Related papers (2023-10-11T19:48:46Z) - Robust Recommender System: A Survey and Future Directions [58.87305602959857]
We first present a taxonomy to organize current techniques for withstanding malicious attacks and natural noise.
We then explore state-of-the-art methods in each category, including fraudster detection, adversarial training, certifiable robust training for defending against malicious attacks.
We discuss robustness across varying recommendation scenarios and its interplay with other properties like accuracy, interpretability, privacy, and fairness.
arXiv Detail & Related papers (2023-09-05T08:58:46Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - Evaluating Model-free Reinforcement Learning toward Safety-critical
Tasks [70.76757529955577]
This paper revisits prior work in this scope from the perspective of state-wise safe RL.
We propose Unrolling Safety Layer (USL), a joint method that combines safety optimization and safety projection.
To facilitate further research in this area, we reproduce related algorithms in a unified pipeline and incorporate them into SafeRL-Kit.
arXiv Detail & Related papers (2022-12-12T06:30:17Z) - Towards Safe Policy Improvement for Non-Stationary MDPs [48.9966576179679]
Many real-world problems of interest exhibit non-stationarity, and when stakes are high, the cost associated with a false stationarity assumption may be unacceptable.
We take the first steps towards ensuring safety, with high confidence, for smoothly-varying non-stationary decision problems.
Our proposed method extends a type of safe algorithm, called a Seldonian algorithm, through a synthesis of model-free reinforcement learning with time-series analysis.
arXiv Detail & Related papers (2020-10-23T20:13:51Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.