Related papers: A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software

A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software

URL: http://arxiv.org/abs/2512.03868v1
Date: Wed, 03 Dec 2025 15:20:10 GMT
Title: A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software
Authors: Shree Hari Bittugondanahalli Indra Kumar, Lilia Rodrigues Sampaio, André Martin, Andrey Brito, Christof Fetzer,
Abstract summary: We conducted a study on over 1k open-source software projects with about 50k releases comprising several languages such as Java, Python, Rust, Go, Ruby, and JavaScript.<n>Our objective is to investigate the severity, persistence, and distribution of these vulnerabilities, as well as their correlation with project metrics such as team and contributors size, activity and release cycles.<n>Using our approach, we can provide information such as library versions, dependency depth, and known vulnerabilities, and how they evolved over the software development cycle.
Score: 0.2772895608190934
License: http://creativecommons.org/licenses/by-nc-sa/4.0/
Abstract: Open-source libraries are widely used by software developers to speed up the development of products, however, they can introduce security vulnerabilities, leading to incidents like Log4Shell. With the expanding usage of open-source libraries, it becomes even more imperative to comprehend and address these dependency vulnerabilities. The use of Software Composition Analysis (SCA) tools does greatly help here as they provide a deep insight on what dependencies are used in a project, enhancing the security and integrity in the software supply chain. In order to learn how wide spread vulnerabilities are and how quickly they are being fixed, we conducted a study on over 1k open-source software projects with about 50k releases comprising several languages such as Java, Python, Rust, Go, Ruby, PHP, and JavaScript. Our objective is to investigate the severity, persistence, and distribution of these vulnerabilities, as well as their correlation with project metrics such as team and contributors size, activity and release cycles. In order to perform such analysis, we crawled over 1k projects from github including their version history ranging from 2013 to 2023 using VODA, our SCA tool. Using our approach, we can provide information such as library versions, dependency depth, and known vulnerabilities, and how they evolved over the software development cycle. Being larger and more diverse than datasets used in earlier works and studies, ours provides better insights and generalizability of the gained results. The data collected answers several research questions about the dependency depth and the average time a vulnerability persists. Among other findings, we observed that for most programming languages, vulnerable dependencies are transitive, and a critical vulnerability persists in average for over a year before being fixed.

Related papers

Why Authors and Maintainers Link (or Don't Link) Their PyPI Libraries to Code Repositories and Donation Platforms [83.16077040470975]
Metadata of libraries on the Python Package Index (PyPI) plays a critical role in supporting the transparency, trust, and sustainability of open-source libraries.<n>This paper presents a large-scale empirical study combining two targeted surveys sent to 50,000 PyPI authors and maintainers.<n>We analyze more than 1,400 responses using large language model (LLM)-based topic modeling to uncover key motivations and barriers related to linking repositories and donation platforms.
arXiv Detail & Related papers (2026-01-21T16:13:57Z)
Analyzing the Availability of E-Mail Addresses for PyPI Libraries [89.21869606965578]
81.6% of libraries include at least one valid e-mail address, with PyPI serving as the primary source.<n>We identify over 698,000 invalid entries, primarily due to missing fields.
arXiv Detail & Related papers (2026-01-20T14:54:58Z)
Eradicating the Unseen: Detecting, Exploiting, and Remediating a Path Traversal Vulnerability across GitHub [1.2124551005857036]
Vulnerabilities in open-source software can cause cascading effects in the modern digital ecosystem.<n>We identified 1,756 vulnerable open-source projects, some of which are very influential.<n>We have responsibly disclosed the vulnerability to the maintainers, and 14% of the reported vulnerabilities have been remediated.
arXiv Detail & Related papers (2025-05-26T16:29:21Z)
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack [0.8517406772939294]
The digital economy runs on Open Source Software (OSS), with an estimated 90% of modern applications containing open-source components.<n>This paper examines a sophisticated attack on the XZUtils project (-2024-3094), where attackers exploited not just code, but the entire open-source development process.<n>Our analysis reveals a new breed of supply chain attack that manipulates software engineering practices themselves.
arXiv Detail & Related papers (2025-04-24T12:06:11Z)
The Ripple Effect of Vulnerabilities in Maven Central: Prevalence, Propagation, and Mitigation Challenges [8.955037553566774]
We analyze the prevalence and impact of vulnerabilities within the Maven Central ecosystem using Common Vulnerabilities and Exposures data.<n>In our subsample of around 4 million releases, we found that while only about 1% of releases have direct vulnerabilities.<n>We also observed that the time taken to patch vulnerabilities, including those of high or critical severity, often spans several years.
arXiv Detail & Related papers (2025-04-05T13:45:27Z)
Forecasting the risk of software choices: A model to foretell security vulnerabilities from library dependencies and source code evolution [4.538870924201896]
We introduce a model capable of vulnerability forecasting at library level. Our model can estimate the probability that a software project faces a CVE disclosure in a future time window.
arXiv Detail & Related papers (2024-11-17T23:36:27Z)
Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks. More than 35,000 packages were forced to update their Log4J libraries with the latest version. It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z)
The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z)
On Security Weaknesses and Vulnerabilities in Deep Learning Systems [32.14068820256729]
We specifically look into deep learning (DL) framework and perform the first systematic study of vulnerabilities in DL systems. We propose a two-stream data analysis framework to explore vulnerability patterns from various databases. We conducted a large-scale empirical study of 3,049 DL vulnerabilities to better understand the patterns of vulnerability and the challenges in fixing them.
arXiv Detail & Related papers (2024-06-12T23:04:13Z)
Analyzing Maintenance Activities of Software Libraries [55.2480439325792]
Industrial applications heavily integrate open-source software libraries nowadays.<n>I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z)
On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository. We retrieve over 53k potential vulnerable clones from Maven Central. We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.