Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem
- URL: http://arxiv.org/abs/2401.00515v2
- Date: Wed, 17 Jan 2024 06:16:52 GMT
- Title: Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem
- Authors: Jinchang Hu (1), Lyuye Zhang (2), Chengwei Liu (2), Sen Yang (3), Song
Huang (1) and Yang Liu (2) ((1) College of Command and Control Engineering,
Army Engineering University of PLA, NanJing, China. (2) Continental-NTU
Corporate Lab, Nanyang Technological University, Singapore, Singapore. (3)
Academy of Military Science, BeiJing, China.)
- Abstract summary: A comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang.
It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities.
By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
- Score: 0.773844059806915
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Open-source software (OSS) greatly facilitates program development for
developers. However, the high number of vulnerabilities in open-source software
is a major concern, including in Golang, a relatively new programming language.
In contrast to other commonly used OSS package managers, Golang presents a
distinctive feature whereby commits are prevalently used as dependency versions
prior to their integration into official releases. This attribute can prove
advantageous to users, as patch commits can be implemented in a timely manner
before the releases. However, Golang employs a decentralized mechanism for
managing dependencies, whereby dependencies are upheld and distributed in
separate repositories. This approach can result in delays in the dissemination
of patches and unresolved vulnerabilities.
To tackle the aforementioned concern, a comprehensive investigation was
undertaken to examine the life cycle of vulnerability in Golang, commencing
from its introduction and culminating with its rectification. To this end, a
framework was established by gathering data from diverse sources and
systematically amalgamating them with an algorithm to compute the lags in
vulnerability patching. It turned out that 66.10% of modules in the Golang
ecosystem were affected by vulnerabilities. Within the vulnerability life
cycle, we found two kinds of lag impeding the propagation of vulnerability
fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities,
timely releasing and indexing patch versions could significantly enhance
ecosystem security.
Related papers
- Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - Fixing Security Vulnerabilities with AI in OSS-Fuzz [9.730566646484304]
OSS-Fuzz is the most significant and widely used infrastructure for continuous validation of open source systems.
We customise the well-known AutoCodeRover agent for fixing security vulnerabilities.
Our experience with OSS-Fuzz vulnerability data shows that LLM agent autonomy is useful for successful security patching.
arXiv Detail & Related papers (2024-11-03T16:20:32Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - ReposVul: A Repository-Level High-Quality Vulnerability Dataset [13.90550557801464]
We propose an automated data collection framework and construct the first repository-level high-quality vulnerability dataset named ReposVul.
The proposed framework mainly contains three modules: (1) A vulnerability untangling module, aiming at distinguishing vulnerability-fixing related code changes from tangled patches, in which the Large Language Models (LLMs) and static analysis tools are jointly employed, (2) A multi-granularity dependency extraction module, aiming at capturing the inter-procedural call relationships of vulnerabilities, in which we construct multiple-granularity information for each vulnerability patch, including repository-level, file-level, function-level
arXiv Detail & Related papers (2024-01-24T01:27:48Z) - Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain
With Auto-generated Static Analysis Rules [1.9591497166224197]
We propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules.
Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code.
We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++.
arXiv Detail & Related papers (2024-01-23T02:23:11Z) - Mitigating Persistence of Open-Source Vulnerabilities in Maven Ecosystem [13.193125763978255]
Despite patches being released promptly after vulnerabilities are disclosed, the libraries and applications in the community still use the vulnerable versions.
We propose a solution for range restoration (Ranger) to automatically restore the compatible and secure version ranges of dependencies for downstream dependents.
arXiv Detail & Related papers (2023-08-07T09:11:26Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Detecting Security Fixes in Open-Source Repositories using Static Code
Analyzers [8.716427214870459]
We study the extent to which the output of off-the-shelf static code analyzers can be used as a source of features to represent commits in Machine Learning (ML) applications.
We investigate how such features can be used to construct embeddings and train ML models to automatically identify source code commits that contain vulnerability fixes.
We find that the combination of our method with commit2vec represents a tangible improvement over the state of the art in the automatic identification of commits that fix vulnerabilities.
arXiv Detail & Related papers (2021-05-07T15:57:17Z) - Autosploit: A Fully Automated Framework for Evaluating the
Exploitability of Security Vulnerabilities [47.748732208602355]
Autosploit is an automated framework for evaluating the exploitability of vulnerabilities.
It automatically tests the exploits on different configurations of the environment.
It is able to identify the system properties that affect the ability to exploit a vulnerability in both noiseless and noisy environments.
arXiv Detail & Related papers (2020-06-30T18:49:18Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.