On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

06/12/2021
by   Ahmed Zerouali, et al.
0

The increasing interest in open source software has led to the emergence of large package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to security vulnerabilities that may expose dependent packages through explicitly declared dependencies. This article empirically studies security vulnerabilities affecting npm and RubyGems packages. We analyse how and when these vulnerabilities are discovered and fixed, and how their prevalence changes over time. We also analyse how vulnerable packages expose their direct and indirect dependents to vulnerabilities. We distinguish between two types of dependents: packages distributed via the package manager, and external GitHub projects. Compared to RubyGems, we observe that the number of vulnerabilities is increasing faster in npm, but vulnerabilities are also discovered faster in npm. For both package distributions, the time required to discover vulnerabilities is increasing, but npm is improving the time needed to fix vulnerabilities. A large proportion of external GitHub projects are exposed to vulnerabilities coming from direct or indirect dependencies. Around one out of three direct vulnerable dependencies to which projects or packages are exposed could be avoided, if software developers would update their dependencies to more recent releases within the same major release range.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
01/04/2021

Lost in Zero Space – An Empirical Comparison of 0.y.z Releases in Software Package Distributions

Distributions of open source software packages dedicated to specific pro...
research
07/29/2022

Not All Dependencies are Equal: An Empirical Study on Production Dependencies in NPM

Modern software systems are often built by leveraging code written by ot...
research
11/30/2018

On The Relation Between Outdated Docker Containers, Severity Vulnerabilities and Bugs

Packaging software into containers is becoming a common practice when de...
research
12/21/2021

Well Begun is Half Done: An Empirical Study of Exploitability Impact of Base-Image Vulnerabilities

Container technology, (e.g., Docker) is being widely adopted for deployi...
research
06/29/2022

Challenges of mapping Vulnerabilities and Exposures to Open-Source Packages

Much of the current software depends on open-source components, which in...
research
03/03/2022

License Incompatibilities in Software Ecosystems

Contemporary software is characterized by reuse of components that are d...
research
12/13/2021

Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages

Vulnerabilities in open source packages can be a security risk for the c...

Please sign up or login with your details

Forgot password? Click here to reset