ABSTRACT
Background: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies.
Aim: Our paper addresses the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in OSS software, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources.
Method: Careful analysis of deployed dependencies, aggregation of dependencies by their projects, and distinction of halted dependencies allow us to obtain a counting method that avoids over-inflation. To understand the industrial impact of a more precise approach, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) in Maven when considering all the library versions.
Results: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy.
Conclusions: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.
- S. S. Alqahtani, E. E. Eghan, and J. Rilling. Tracing known security vulnerabilities in software repositories-a semantic web enabled modeling approach. Sci. Comp. Program., 121:153--175, 2016. Google ScholarDigital Library
- R. G. Brown. Statistical forecasting for inventory control. McGraw/Hill, 1959.Google Scholar
- M. Cadariu, E. Bouwers, J. Visser, and A. van Deursen. Tracking known security vulnerabilities in proprietary software systems. In Proc. of SANER'15, pages 516--519. IEEE, 2015.Google ScholarCross Ref
- J. Cox, E. Bouwers, M. van Eekelen, and J. Visser. Measuring dependency freshness in software systems. In Proc. of ICSE'15, ICSE '15, pages 109--118, Piscataway, NJ, USA, 2015. IEEE Press. Google ScholarDigital Library
- S. Dashevskyi, A. D. Brucker, and F. Massacci. A screening test for disclosed vulnerabilities in foss components. TSE, 2018.Google ScholarDigital Library
- J. Hejderup. In dependencies we trust: How vulnerable are dependencies in software modules? 2015.Google Scholar
- R. Kikas, G. Gousios, M. Dumas, and D. Pfahl. Structure and evolution of package dependency networks. In Proc. of MSR'17, pages 102--112. IEEE, 2017. Google ScholarDigital Library
- R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue. Do developers update their library dependencies? Emp. Soft. Eng. Journ., May 2017. Google ScholarDigital Library
- T. Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, and E. Kirda. Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web. In Proc. of NDSS'17, 2017.Google ScholarCross Ref
- D. Merkel. Docker: lightweight linux containers for consistent development and deployment. LJ, 2014(239):2, 2014. Google ScholarDigital Library
- V. H. Nguyen, S. Dashevskyi, and F. Massacci. An automatic method for assessing the versions affected by a vulnerability. Emp. Soft. Eng. Journ., 21(6):2268--2297, 2016. Google ScholarDigital Library
- V. H. Nguyen and F. Massacci. The (un) reliability of nvd vulnerable versions data: An empirical experiment on google chrome vulnerabilities. In Proc. of ASIACCS'13, pages 493--498. ACM, 2013. Google ScholarDigital Library
- M. Pittenger. Open source security analysis: The state of open source security in commercial applications. Technical report, Black Duck Software, 2016.Google Scholar
- H. Plate, S. E. Ponta, and A. Sabetta. Impact assessment for vulnerabilities in open-source software libraries. In Proc. of ICSME'15, pages 411--420. IEEE, 2015. Google ScholarDigital Library
- S. E. Ponta, H. Plate, and A. Sabetta. Beyond metadata: Code-centric and usage-based analysis of known vulnerabilities in open-source software. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), 2018.Google ScholarCross Ref
- D. J. Reifer, V. R. Basili, B. W. Boehm, and B. Clark. Eight lessons learned during cots-based systems maintenance. IEEE Softw. Journ., 20(5):94--96, 2003. Google ScholarDigital Library
- H. Sajnani, V. Saini, J. Ossher, and C. V. Lopes. Is popularity a measure of quality? an analysis of maven components. In Proc. of ICSME'14, pages 231--240. IEEE, 2014. Google ScholarDigital Library
- J. Williams and A. Dabirsiaghi. The unfortunate reality of insecure libraries. Asp. Sec., pages 1--26, 2012.Google Scholar
Index Terms
- Vulnerable open source dependencies: counting those that matter
Recommendations
On the Interplay between Structural and Logical Dependencies in Open-Source Software
SBES '11: Proceedings of the 2011 25th Brazilian Symposium on Software EngineeringStructural dependencies have long been explored in the context of software quality. More recently, software evolution researchers have investigated logical dependencies between artifacts to assess failure-proneness, detect design issues, infer code ...
Out of sight, out of mind? How vulnerable dependencies affect open-source projects
AbstractContextSoftware developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in recent years. As ...
Generating Value Through Open Source: Software Service Market Regulation and Licensing Policy
In the software industry, commercial open-source software vendors have recognized that providing services to help businesses derive greater value in the implementation of open source-based systems can be a profitable business model. Moreover, society ...
Comments