Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages

by   Nasif Imtiaz, et al.

Vulnerabilities in open source packages can be a security risk for the client projects that use these packages as dependencies. When a new vulnerability is discovered in a package, the package should quickly release a fix in a new version, referred to as security release in this study. The security release should be well-documented and require minimal migration effort to facilitate fast adoption by the client projects. However, to what extent the open source packages follow these recommendations is not known. The goal of this study is to aid software practitioners and researchers in understanding the current practice of releasing security fixes by open source packages and identifying areas for improvement through an empirical study of security releases. Specifically, in this paper, we study (1) the time lag between fix and release; (2) how security fixes are documented in the release notes; (3) code change characteristics (size and semantic versioning) of the release; and (4) the time lag between the release and an advisory publication on Snyk or NVD (two popular vulnerability databases) for security releases over a dataset of 4,377 security advisories across seven package ecosystems. We find that the median security release is available in under 4 days of the corresponding fix and contains 134 lines of code (LOC) change. Further, we find that 61.5 releases come with a release note that documents the corresponding security fix. However, Snyk and NVD may take a median of 25 days (from the release) to publish an advisory for these security releases, possibly resulting in delayed notification to the client projects. Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases.


An Empirical Study of Yanked Releases in the Rust Package Registry

Cargo, the software packaging manager of Rust, provides a yank mechanism...

Lost in Zero Space – An Empirical Comparison of 0.y.z Releases in Software Package Distributions

Distributions of open source software packages dedicated to specific pro...

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

The increasing interest in open source software has led to the emergence...

A Closer Look at the Security Risks in the Rust Ecosystem

Rust is an emerging programming language designed for the development of...

A Large Scale Analysis of Semantic Versioning in NPM

The NPM package repository contains over two million packages and serves...

Accelerating package expansion in Rust through development of a semantic versioning tool

In many programming languages there exist countless nuances, making deve...

A first look at an emerging model of community organizations for the long-term maintenance of ecosystems' packages

One of the biggest strength of many modern programming languages is thei...

Please sign up or login with your details

Forgot password? Click here to reset