Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Dependency Practices for Vulnerability Mitigation (2310.07847v1)

Published 11 Oct 2023 in cs.SE

Abstract: Relying on dependency packages accelerates software development, but it also increases the exposure to security vulnerabilities that may be present in dependencies. While developers have full control over which dependency packages (and which version) they use, they have no control over the dependencies of their dependencies. Such transitive dependencies, which often amount to a greater number than direct dependencies, can become infected with vulnerabilities and put software projects at risk. To mitigate this risk, Practitioners need to select dependencies that respond quickly to vulnerabilities to prevent the propagation of vulnerable code to their project. To identify such dependencies, we analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies and use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities. We also study the relationship between these features and the response speed of vulnerable packages. We complement our work with a practitioner survey to understand the applicability of our findings. Developers can incorporate our findings into their dependency management practices to mitigate the impact of vulnerabilities from their dependency supply chain.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (58)
  1. On the discoverability of npm vulnerabilities in node. js projects. ACM Transactions on Software Engineering and Methodology, 32(4):1–27, 2023.
  2. Why do software packages conflict? In Proceedings of the 9th IEEE Working Conference on Mining Software Repositories, pages 141–150. IEEE Press, 2012.
  3. How ecosystem cultures differ: Results from a survey on values and practices across 18 software ecosystems. http://breakingapis.org/survey/, October 2017. (accessed on 10/16/2020).
  4. How to break an api: cost negotiation and community values in three software ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 109–120, 2016.
  5. Synergies and tradeoffs in software reuse–a systematic mapping study. Software: practice and experience, 47(7):943–957, 2017.
  6. Lags in the release, adoption, and propagation of npm vulnerability fixes. Empirical Software Engineering, 26:1–28, 2021.
  7. An empirical study of dependency downgrades in the npm ecosystem. IEEE Transactions on Software Engineering, 2019.
  8. P. Dallig. Dependency check plugin for sonar. https://github.com/dependency-check/dependency-check-sonar-plugin, 2023.
  9. A. Decan and T. Mens. What do package dependencies tell us about semantic versioning? IEEE Transactions on Software Engineering, 2019.
  10. A. Decan and T. Mens. Lost in zero space - an empirical comparison of 0.y.z releases in software package distributions. Science of Computer Programming, 208:102656, 2021.
  11. An empirical comparison of dependency issues in oss packaging ecosystems. In 2017 IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER), pages 2–12. IEEE, 2017.
  12. On the impact of security vulnerabilities in the npm package dependency network. In 2018 IEEE/ACM 15th International Conference on Mining Software Repositories (MSR), pages 181–191. IEEE, 2018.
  13. An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empirical Software Engineering, 24(1):381–416, 2019.
  14. Back to the past–analysing backporting practices in package dependency networks. IEEE Transactions on Software Engineering, 48(10):4087–4099, 2021.
  15. T. Dey and A. Mockus. Deriving a usage-independent software quality metric. Empirical Software Engineering, 25:1596–1641, 2020.
  16. Dependency versioning in the wild. In Proceedings of the 16th International Conference on Mining Software Repositories, pages 349–359. IEEE Press, 2019.
  17. A. Géron. Hands-on machine learning with Scikit-Learn, Keras, and TensorFlow: Concepts, tools, and techniques to build intelligent systems. ” O’Reilly Media, Inc.”, 2022.
  18. GitHub. About coordinated disclosure of security vulnerabilities. https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/about-coordinated-disclosure-of-security-vulnerabilities, 2023.
  19. GitHub. Github advisory database. https://github.com/advisories, 2023.
  20. GitHub Docs. Dependabot. https://docs.github.com/en/code-security/dependabot, 2023.
  21. Peeking inside the black box: Visualizing statistical learning with plots of individual conditional expectation. journal of Computational and Graphical Statistics, 24(1):44–65, 2015.
  22. Categorizing developer information needs in software ecosystems. In Proceedings of the 2013 international workshop on ecosystem architectures, pages 1–5, 2013.
  23. Nonparametric statistical methods. John Wiley & Sons, 2013.
  24. Dependency smells in javascript projects. IEEE Transactions on Software Engineering, 48(10):3790–3807, 2021.
  25. Dependency update strategies and package characteristics. ACM Transactions on Software Engineering and Methodology, 2023.
  26. A. Javan. Dependency Sniffer. https://github.com/abbasjavan/DependencySniffer, September 2020.
  27. Replication package for dependency practices for vulnerability mitigation. https://doi.org/10.5281/zenodo.8432714, October 2023.
  28. Do developers update their library dependencies? Empirical Software Engineering, 23(1):384–417, 2018.
  29. Selecting third-party libraries: The practitioners’ perspective. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 245–256, 2020.
  30. A large-scale empirical study on semantic versioning in golang ecosystem. arXiv preprint arXiv:2309.02894, 2023.
  31. Libraries.io. npm. https://libraries.io/npm, 2023.
  32. Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In Proceedings of the 44th International Conference on Software Engineering, pages 672–684, 2022.
  33. On a test of whether one of two random variables is stochastically larger than the other. The annals of mathematical statistics, pages 50–60, 1947.
  34. Type regression testing to detect breaking changes in node. js libraries. In 32nd european conference on object-oriented programming (ECOOP 2018). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik, 2018.
  35. Mitre. Common Vulnerabilities and Exposures (CVE). https://www.cve.org/About/Overview, 2023.
  36. Mitre. Common Weakness Enumeration (CWE). https://cwe.mitre.org/about/index.html, 2023.
  37. C. Molnar. Interpretable machine learning. 2020.
  38. What are the characteristics of highly-selected packages? a case study on the npm ecosystem. Journal of Systems and Software, 198:111588, 2023.
  39. npm. About semantic versioning. https://docs.npmjs.com/about-semantic-versioning, February 2022.
  40. npm. The npm registry. https://www.npmjs.com/, April 2022.
  41. npm Docs. npm-audit. https://docs.npmjs.com/cli/v9/commands/npm-audit, 2023.
  42. npmjs. The semver package. https://www.npmjs.com/package/semver, 2023.
  43. On the feasibility of supervised machine learning for the detection of malicious software packages. In Proceedings of the 17th International Conference on Availability, Reliability and Security, pages 1–10, 2022.
  44. Pandas. Pandas api reference. https://pandas.pydata.org/docs/reference/api/pandas.get_dummies.html, 2023.
  45. A qualitative study of dependency management and its security implications. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1513–1531, 2020.
  46. T. Preston-Werner. Semantic versioning 2.0, 2019.
  47. M. Rickard. The nine circles of dependency hell (and a roadmap out). https://about.sourcegraph.com/blog/nine-circles-of-dependency-hell, 2021.
  48. Scikit. Scikit api reference. https://scikit-learn.org/stable/modules/generated/sklearn.dummy.DummyClassifier.html, 2023.
  49. Scikit-learn. Permutation importance vs random forest feature importance, 2020.
  50. Software engineering data collection for field studies. Guide to advanced empirical software engineering, pages 9–34, 2008.
  51. Sonar. Sonarqube. https://www.sonarsource.com/products/sonarqube/, 2023.
  52. Sonatype. 2021 state of the software supply chain. https://www.sonatype.com/hubfs/SSSC-Report-2021_0913_PM_2.pdf?hsLang=en-us, 2021.
  53. L. Tal. Snyk research team discovers severe prototype pollution security vulnerabilities affecting all versions of lodash. https://snyk.io/blog/snyk-research-team-discovers-severe-prototype-pollution/security-vulnerabilities-affecting-all-versions-of-lodash, 2019.
  54. A. Tharwat. Classification assessment methods. Applied computing and informatics, 17(1):168–192, 2020.
  55. Tidelift. The 2022 open source software supply chain survey report. https://tidelift.com/2022-open-source-software-supply-chain-survey, 2022.
  56. On the impact of security vulnerabilities in the npm and rubygems dependency networks. Empirical Software Engineering, 27(5):107, 2022.
  57. On the diversity of software package popularity metrics: An empirical study of npm. In 2019 IEEE 26th international conference on software analysis, Evolution and Reengineering (SANER), pages 589–593. IEEE, 2019.
  58. Small world with high risks: A study of security threats in the npm ecosystem. USENIX security symposium, 17, 2019.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now