Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

See to Believe: Using Visualization To Motivate Updating Third-party Dependencies (2405.09074v1)

Published 15 May 2024 in cs.SE

Abstract: Security vulnerabilities introduced by applications using third-party dependencies are on the increase, caused by the emergence of large ecosystems of libraries such as the NPM packages for JavaScript. Nowadays, libraries depend on each other. Relying on these large ecosystems thus means that vulnerable dependencies are not only direct but also indirect (transitive) dependencies. There are automated tool supports to manage these complex dependencies but recent work still shows that developers are wary of library updates, even to fix vulnerabilities, citing that being unaware, or that the migration effort to update outweighs the decision. In this paper, we hypothesize that the dependency graph visualization (DGV) approach will motivate developers to update, especially when convincing developers. To test this hypothesis, we performed a user study involving 20 participants divided equally into experimental and control groups, comparing the state-of-the-art tools with the tasks of reviewing vulnerabilities with complexities and vulnerabilities with indirect dependencies. We find that 70% of the participants who saw the visualization did re-prioritize their updates in both tasks. This is higher than the 30% and 60% of the participants who used the npm audit tool in both tasks, respectively.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (30)
  1. R. Kikas, G. Gousios, M. Dumas, and D. Pfahl, “Structure and Evolution of Package Dependency Networks,” in MSR ’17, 2017, pp. 102–112.
  2. A. Decan, T. Mens, and E. Constantinou, “On the impact of security vulnerabilities in the npm package dependency network,” in MSR ’18, 2018, pp. 181–191.
  3. B. Chinthanet, R. G. Kula, S. McIntosh, T. Ishio, A. Ihara, and K. Matsumoto, “Lags in the release, adoption, and propagation of npm vulnerability fixes,” Empirical Software Engineering (ESME), vol. 26, no. 3, Mar. 2021.
  4. GitHub. (2022) About github security advisories for repositories. [Online]. Available: https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories
  5. ——. (2020, May) Dependabot. [Online]. Available: https://tinyurl.com/dependabot
  6. npm, “Auditing package dependencies for security vulnerabilities,” hhttps://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities, (Accessed on 20/02/2021).
  7. R. Robbes, M. Lungu, and D. Röthlisberger, “How Do Developers React to API Deprecation?: The Case of a Smalltalk Ecosystem,” in FSE ’12, 2012, pp. 56:1–56:11.
  8. A. Hora, R. Robbes, N. Anquetil, A. Etien, S. Ducasse, and M. T. Valente, “How Do Developers React to API Evolution? The Pharo Ecosystem Case,” in ICSME ’15, 2015, pp. 251–260.
  9. A. A. Sawant, R. Robbes, and A. Bacchelli, “On the reaction to deprecation of 25,357 clients of 4+1 popular Java APIs,” in ICSME’16, 2016, pp. 400–410.
  10. G. Bavota, G. Canfora, M. Di Penta, R. Oliveto, and S. Panichella, “How the Apache Community Upgrades Dependencies: An Evolutionary Study,” Empirical Software Engineering (ESME), vol. 20, no. 5, pp. 1275–1317, Oct. 2015.
  11. A. Ihara, D. Fujibayashi, H. Suwa, R. G. Kula, and K. Matsumoto, “Understanding When to Adopt a Library: A Case Study on ASF Projects,” in OSS ’17, 2017, pp. 128–138.
  12. R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue, “Do developers update their library dependencies?” Empirical Software Engineering (ESME), vol. 23, no. 1, Feb. 2018.
  13. V. Jarukitpipat, K. Chhun, W. Wanprasert, C. Ragkhitwetsagul, M. Choetkiertikul, T. Sunetnanta, R. G. Kula, B. Chinthanet, T. Ishio, and K. Matsumoto, “V-Achilles: An Interactive Visualization of Transitive Security Vulnerabilities,” in ASE ’22, pp. 1–4.
  14. M. Zimmermann, C. A. Staicu, M. Pradel, and C. Tenny, “Small world with high risks: A study of security threats in the NPM ecosystem,” Proceedings of the 28th USENIX Security Symposium, pp. 995–1010, 2019.
  15. R. Cox, “Surviving Software Dependencies,” Queue, vol. 17, no. 2, pp. 24–47, Apr 2019.
  16. Snyk, “The state of open source security report,” Snyk, Tech. Rep., 2020.
  17. N. Imtiaz, “Does dependabot detect vulnerabilities in transitive dependencies?” https://github.com/Dependabot/Dependabot-core/issues/2640, 2020, (Accessed on 03/27/2022).
  18. B. Wong, “Points of view: Color blindness,” Nature Methods, vol. 8, no. 6, pp. 441–441, Jun 2011.
  19. A. Ko, T. LaToza, and M. Burnett, “A practical guide to controlled experiments of software engineering tools with human participants,” Empirical Software Engineering, vol. 20, 02 2013.
  20. G. Charness, U. Gneezy, and M. A. Kuhn, “Experimental methods: Between-subject and within-subject design,” Journal of Economic Behavior and Organization, vol. 81, no. 1, pp. 1–8, Jan 2012.
  21. A. Decan, T. Mens, and M. Claes, “An empirical comparison of dependency issues in OSS packaging ecosystems,” in SANER’17, feb 2017, pp. 2–12.
  22. C. Bogart, C. Kastner, and J. Herbsleb, “When It Breaks, It Breaks: How Ecosystem Developers Reason about the Stability of Dependencies,” in ASE’15, nov 2015, pp. 86–89.
  23. GitHub. (2020, September) The state of the octoverse. [Online]. Available: https://octoverse.github.com/#securing-software
  24. M. Linares-Vásquez, G. Bavota, and C. Escobar-Velásquez, “An Empirical Study on Android-related Vulnerabilities,” in MSR ’17, 2017, pp. 2–13.
  25. T. Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, and E. Kirda, “Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web,” in 24th Network and Distributed System Security Symposium (NDSS), 2017.
  26. Q. Li, J. Song, D. Tan, H. Wang, and J. Liu, “Pdgraph: A large-scale empirical study on project dependency of security vulnerabilities,” in DSN ’21, 2021, pp. 161–173.
  27. N. Lui, “DependencyVis: Helping Developers Visualize Software Dependency Information,” Master’s thesis, California Polytechnic State University, 2021.
  28. R. Arora, S. Goel, and R. K. Mittal, “Using dependency graphs to support collaboration over GitHub: The Neo4j graph database approach,” in Proceedings of the 9th International Conference on Contemporary Computing (IC3), 2016, pp. 1–7.
  29. Y. Wu, R. H. C. Yap, and R. Ramnath, “Comprehending module dependencies and sharing,” in ICSE ’10, 2010, p. 89–98.
  30. J. Saba Alimadadi, “Propagation of Change and Visualization of Causality In Dependency Structures,” Master’s thesis, Simon Fraser University, 2013.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets