Vulnerable Open Source Dependencies: Counting Those That Matter

by   Ivan Pashchenko, et al.

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20 dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82 vast majority (81 to a new version, while 1 halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.


page 1

page 2

page 3

page 4


Vulnerability Propagation in Package Managers Used in iOS Development

Although using third-party libraries is common practice when writing sof...

Do Developers Update Their Library Dependencies? An Empirical Study on the Impact of Security Advisories on Library Migration

Third-party library reuse has become common practice in contemporary sof...

Modeling Library Dependencies and Updates in Large Software Repository Universes

Popular (re)use of third-party open-source software (OSS) is evidence of...

Analyzing Maintenance Activities of Software Libraries

Industrial applications heavily integrate open-source software libraries...

The Used, the Bloated, and the Vulnerable: Reducing the Attack Surface of an Industrial Application

Software reuse may result in software bloat when significant portions of...

The Dynamics of Software Composition Analysis

Developers today use significant amounts of open source code, surfacing ...

Towards Reliable and Scalable Linux Kernel CVE Attribution in Automated Static Firmware Analyses

In vulnerability assessments, software component-based CVE attribution i...

Please sign up or login with your details

Forgot password? Click here to reset