Dependency Practices for Vulnerability Mitigation
- URL: http://arxiv.org/abs/2310.07847v1
- Date: Wed, 11 Oct 2023 19:48:46 GMT
- Title: Dependency Practices for Vulnerability Mitigation
- Authors: Abbas Javan Jafari, Diego Elias Costa, Ahmad Abdellatif, Emad Shihab
- Abstract summary: We analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable.
We identify over 200,000 npm packages that are infected through their dependencies.
We use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities.
- Score: 4.710141711181836
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Relying on dependency packages accelerates software development, but it also
increases the exposure to security vulnerabilities that may be present in
dependencies. While developers have full control over which dependency packages
(and which version) they use, they have no control over the dependencies of
their dependencies. Such transitive dependencies, which often amount to a
greater number than direct dependencies, can become infected with
vulnerabilities and put software projects at risk. To mitigate this risk,
Practitioners need to select dependencies that respond quickly to
vulnerabilities to prevent the propagation of vulnerable code to their project.
To identify such dependencies, we analyze more than 450 vulnerabilities in the
npm ecosystem to understand why dependent packages remain vulnerable. We
identify over 200,000 npm packages that are infected through their dependencies
and use 9 features to build a prediction model that identifies packages that
quickly adopt the vulnerability fix and prevent further propagation of
vulnerabilities. We also study the relationship between these features and the
response speed of vulnerable packages. We complement our work with a
practitioner survey to understand the applicability of our findings. Developers
can incorporate our findings into their dependency management practices to
mitigate the impact of vulnerabilities from their dependency supply chain.
Related papers
- Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries.
The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
arXiv Detail & Related papers (2024-09-27T16:20:20Z) - Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender System [60.719158008403376]
Vulnerability-aware Adversarial Training (VAT) is designed to defend against poisoning attacks in recommender systems.
VAT employs a novel vulnerability-aware function to estimate users' vulnerability based on the degree to which the system fits them.
arXiv Detail & Related papers (2024-09-26T02:24:03Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects.
We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks.
Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
arXiv Detail & Related papers (2024-08-26T13:46:48Z) - Trusting code in the wild: Exploring contributor reputation measures to review dependencies in the Rust ecosystem [1.0310977366592338]
We use network centrality measures to proxy contributor reputation using collaboration activity.
We find that only 24% of respondents often review dependencies before adding or updating a package.
We recommend that ecosystems like GitHub, Rust, and npm implement a contributor reputation badge to aid developers in dependency reviews.
arXiv Detail & Related papers (2024-06-14T16:13:58Z) - An empirical study of bloated dependencies in CommonJS packages [6.115666382910127]
We conduct an empirical study to investigate the bloated dependencies that are entirely unused within server-side applications.
We propose a trace-based dynamic analysis that monitors file access, to determine which dependencies are not accessed during runtime.
Our findings suggest that native support for dependency debloating in package managers could significantly alleviate the burden of maintaining dependencies.
arXiv Detail & Related papers (2024-05-28T08:04:01Z) - See to Believe: Using Visualization To Motivate Updating Third-party Dependencies [1.7914660044009358]
Security vulnerabilities introduced by applications using third-party dependencies are on the increase.
Developers are wary of library updates, even to fix vulnerabilities, citing that being unaware, or that the migration effort to update outweighs the decision.
In this paper, we hypothesize that the dependency graph visualization (DGV) approach will motivate developers to update.
arXiv Detail & Related papers (2024-05-15T03:57:27Z) - Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem [0.773844059806915]
A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang.
It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities.
By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
arXiv Detail & Related papers (2023-12-31T14:53:51Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.