Related papers: The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies

The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies

URL: http://arxiv.org/abs/2404.11763v1
Date: Wed, 17 Apr 2024 21:44:38 GMT
Title: The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies
Authors: Cadence Patrick, Kimberly Ruth, Zakir Durumeric,
Abstract summary: Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. We do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed.
Score: 3.6840775431698893
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.

Related papers

An Overview and Catalogue of Dependency Challenges in Open Source Software Package Registries [52.23798016734889]
This article provides a catalogue of dependency-related challenges that come with relying on OSS packages or libraries. The catalogue is based on the scientific literature on empirical research that has been conducted to understand, quantify and overcome these challenges.
arXiv Detail & Related papers (2024-09-27T16:20:20Z)
The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z)
Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z)
Open Source Software (OSS) Transparency for DoD Acquisition [0.0]
Caveat emptor, or let the buyer beware, is commonly attributed to open source software (OSS) We observe challenges for the OSS consumer to obtain information about the process(es), project(s) used to produce a product and the protection(s) employed by those projects.
arXiv Detail & Related papers (2024-04-25T16:47:34Z)
OSS Malicious Package Analysis in the Wild [17.028240712650486]
This paper builds and curates the largest dataset of 23,425 malicious packages from scattered online sources. We then propose a knowledge graph to represent the OSS malware corpus and conduct malicious package analysis in the wild.
arXiv Detail & Related papers (2024-04-07T15:25:13Z)
Assessing the Threat Level of Software Supply Chains with the Log Model [4.1920378271058425]
The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model.
arXiv Detail & Related papers (2023-11-20T12:44:37Z)
ThreatKG: An AI-Powered System for Automated Open-Source Cyber Threat Intelligence Gathering and Management [65.0114141380651]
ThreatKG is an automated system for OSCTI gathering and management. It efficiently collects a large number of OSCTI reports from multiple sources. It uses specialized AI-based techniques to extract high-quality knowledge about various threat entities.
arXiv Detail & Related papers (2022-12-20T16:13:59Z)
Towards Measuring Vulnerabilities and Exposures in Open-Source Packages [0.0]
We provide an up-to-date overview of the open source landscape. We discuss approaches to map entries of the Common Vulnerabilities and Exposures ( CVE) list to open-source libraries. We show the frequency and distribution of existing CVE entries with respect to popular programming languages.
arXiv Detail & Related papers (2022-06-29T10:51:23Z)
Tracking Patches for Open Source Software Vulnerabilities [9.047724746724953]
Open source software (OSS) vulnerabilities threaten the security of software systems that use OSS. There arises a growing concern about the information quality of vulnerability databases.
arXiv Detail & Related papers (2021-12-04T04:39:24Z)
A System for Automated Open-Source Threat Intelligence Gathering and Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management. It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z)
Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.