Out of sight, out of mind? How vulnerable dependencies affect open-source projects.
Saved in:
| Title: | Out of sight, out of mind? How vulnerable dependencies affect open-source projects. |
|---|---|
| Authors: | Prana, Gede Artha Azriadi, Sharma, Abhishek, Shar, Lwin Khin, Foo, Darius, Santosa, Andrew E., Sharma, Asankhaya, Lo, David |
| Source: | Empirical Software Engineering; Jul2021, Vol. 26 Issue 4, p1-34, 34p |
| Subject Terms: | SOFTWARE product line engineering, COMPUTER software development, SOFTWARE engineering, MOBILE apps, APPLICATION software |
| Abstract: | Context: Software developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in recent years. As usage of open-source libraries grows, understanding of these dependency vulnerabilities becomes increasingly important. Objective: In this work, we analyze vulnerabilities in open-source libraries used by 450 software projects written in Java, Python, and Ruby. Our goal is to examine types, distribution, severity, and persistence of the vulnerabilities, along with relationships between their prevalence and project as well as commit attributes. Method: Our data is obtained by scanning versions of the sample projects after each commit made between November 1, 2017 and October 31, 2018 using an industrial software composition analysis tool, which provides information such as library names and versions, dependency types (direct or transitive), and known vulnerabilities. Results: Among other findings, we found that project activity level, popularity, and developer experience do not translate into better or worse handling of dependency vulnerabilities. We also found "Denial of Service" and "Information Disclosure" types of vulnerabilities being common across the languages studied. Further, we found that most dependency vulnerabilities persist throughout the observation period (mean of 78.4%, 97.7%, and 66.4% for publicly-known vulnerabilities in our Java, Python, and Ruby datasets respectively), and the resolved ones take 3-5 months to fix. Conclusion: Our results highlight the importance of managing the number of dependencies and performing timely updates, and indicate some areas that can be prioritized to improve security in wide range of projects, such as prevention and mitigation of Denial-of-Service attacks. [ABSTRACT FROM AUTHOR] |
| Copyright of Empirical Software Engineering is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Complementary Index |
Full Text Finder 
Nájsť tento článok vo Web of Science | FullText | Text: Availability: 0 CustomLinks: – Url: https://resolver.ebscohost.com/openurl?sid=EBSCO:edb&genre=article&issn=13823256&ISBN=&volume=26&issue=4&date=20210701&spage=1&pages=1-34&title=Empirical Software Engineering&atitle=Out%20of%20sight%2C%20out%20of%20mind%3F%20How%20vulnerable%20dependencies%20affect%20open-source%20projects.&aulast=Prana%2C%20Gede%20Artha%20Azriadi&id=DOI:10.1007/s10664-021-09959-3 Name: Full Text Finder Category: fullText Text: Full Text Finder Icon: https://imageserver.ebscohost.com/branding/images/FTF.gif MouseOverText: Full Text Finder – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Prana%20GAA Name: ISI Category: fullText Text: Nájsť tento článok vo Web of Science Icon: https://imagesrvr.epnet.com/ls/20docs.gif MouseOverText: Nájsť tento článok vo Web of Science |
|---|---|
| Header | DbId: edb DbLabel: Complementary Index An: 149924931 RelevancyScore: 916 AccessLevel: 6 PubType: Academic Journal PubTypeId: academicJournal PreciseRelevancyScore: 915.643493652344 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Out of sight, out of mind? How vulnerable dependencies affect open-source projects. – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Prana%2C+Gede+Artha+Azriadi%22">Prana, Gede Artha Azriadi</searchLink><br /><searchLink fieldCode="AR" term="%22Sharma%2C+Abhishek%22">Sharma, Abhishek</searchLink><br /><searchLink fieldCode="AR" term="%22Shar%2C+Lwin+Khin%22">Shar, Lwin Khin</searchLink><br /><searchLink fieldCode="AR" term="%22Foo%2C+Darius%22">Foo, Darius</searchLink><br /><searchLink fieldCode="AR" term="%22Santosa%2C+Andrew+E%2E%22">Santosa, Andrew E.</searchLink><br /><searchLink fieldCode="AR" term="%22Sharma%2C+Asankhaya%22">Sharma, Asankhaya</searchLink><br /><searchLink fieldCode="AR" term="%22Lo%2C+David%22">Lo, David</searchLink> – Name: TitleSource Label: Source Group: Src Data: Empirical Software Engineering; Jul2021, Vol. 26 Issue 4, p1-34, 34p – Name: Subject Label: Subject Terms Group: Su Data: <searchLink fieldCode="DE" term="%22SOFTWARE+product+line+engineering%22">SOFTWARE product line engineering</searchLink><br /><searchLink fieldCode="DE" term="%22COMPUTER+software+development%22">COMPUTER software development</searchLink><br /><searchLink fieldCode="DE" term="%22SOFTWARE+engineering%22">SOFTWARE engineering</searchLink><br /><searchLink fieldCode="DE" term="%22MOBILE+apps%22">MOBILE apps</searchLink><br /><searchLink fieldCode="DE" term="%22APPLICATION+software%22">APPLICATION software</searchLink> – Name: Abstract Label: Abstract Group: Ab Data: Context: Software developers often use open-source libraries in their project to improve development speed. However, such libraries may contain security vulnerabilities, and this has resulted in several high-profile incidents in recent years. As usage of open-source libraries grows, understanding of these dependency vulnerabilities becomes increasingly important. Objective: In this work, we analyze vulnerabilities in open-source libraries used by 450 software projects written in Java, Python, and Ruby. Our goal is to examine types, distribution, severity, and persistence of the vulnerabilities, along with relationships between their prevalence and project as well as commit attributes. Method: Our data is obtained by scanning versions of the sample projects after each commit made between November 1, 2017 and October 31, 2018 using an industrial software composition analysis tool, which provides information such as library names and versions, dependency types (direct or transitive), and known vulnerabilities. Results: Among other findings, we found that project activity level, popularity, and developer experience do not translate into better or worse handling of dependency vulnerabilities. We also found "Denial of Service" and "Information Disclosure" types of vulnerabilities being common across the languages studied. Further, we found that most dependency vulnerabilities persist throughout the observation period (mean of 78.4%, 97.7%, and 66.4% for publicly-known vulnerabilities in our Java, Python, and Ruby datasets respectively), and the resolved ones take 3-5 months to fix. Conclusion: Our results highlight the importance of managing the number of dependencies and performing timely updates, and indicate some areas that can be prioritized to improve security in wide range of projects, such as prevention and mitigation of Denial-of-Service attacks. [ABSTRACT FROM AUTHOR] – Name: Abstract Label: Group: Ab Data: <i>Copyright of Empirical Software Engineering is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.) |
| PLink | https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edb&AN=149924931 |
| RecordInfo | BibRecord: BibEntity: Identifiers: – Type: doi Value: 10.1007/s10664-021-09959-3 Languages: – Code: eng Text: English PhysicalDescription: Pagination: PageCount: 34 StartPage: 1 Subjects: – SubjectFull: SOFTWARE product line engineering Type: general – SubjectFull: COMPUTER software development Type: general – SubjectFull: SOFTWARE engineering Type: general – SubjectFull: MOBILE apps Type: general – SubjectFull: APPLICATION software Type: general Titles: – TitleFull: Out of sight, out of mind? How vulnerable dependencies affect open-source projects. Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Prana, Gede Artha Azriadi – PersonEntity: Name: NameFull: Sharma, Abhishek – PersonEntity: Name: NameFull: Shar, Lwin Khin – PersonEntity: Name: NameFull: Foo, Darius – PersonEntity: Name: NameFull: Santosa, Andrew E. – PersonEntity: Name: NameFull: Sharma, Asankhaya – PersonEntity: Name: NameFull: Lo, David IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 07 Text: Jul2021 Type: published Y: 2021 Identifiers: – Type: issn-print Value: 13823256 Numbering: – Type: volume Value: 26 – Type: issue Value: 4 Titles: – TitleFull: Empirical Software Engineering Type: main |
| ResultId | 1 |