Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories

Digital Threats: Research and Practice Pub Date : 2021-07-02 DOI:10.1145/3472811

Johannes Düsing, Ben Hermann

{"title":"Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories","authors":"Johannes Düsing, Ben Hermann","doi":"10.1145/3472811","DOIUrl":null,"url":null,"abstract":"In modern-day software development, a vast amount of public software libraries enable the reuse of existing implementations for reoccurring tasks and common problems. While this practice does yield significant benefits in productivity, it also puts an increasing amount of responsibility on library maintainers. If a security flaw is contained in a library release, then it may directly affect thousands of applications that are depending on it. Given the fact that libraries are often interconnected, meaning they are depending on other libraries for certain sub-tasks, the impact of a single vulnerability may be large, and is hard to quantify. Recent studies have shown that developers in fact struggle with upgrading vulnerable dependencies, despite ever-increasing support by automated tools, which are often publicly available. With our work, we aim to improve on this situation by providing an in-depth analysis on how developers handle vulnerability patches and dependency upgrades. To do so, we contribute a miner for artifact dependency graphs supporting different programming platforms, which annotates the graph with vulnerability information. We execute our application and generate a data set for the artifact repositories Maven Central, NuGet.org, and the NPM Registry, with the resulting graph being stored in a Neo4j graph database. Afterwards, we conduct an extensive analysis of our data, which is aimed at understanding the impact of vulnerabilities for the three different repositories. Finally, we summarize the resulting risks and derive possible mitigation strategies for library maintainers and software developers based on our findings. We found that NuGet.org, the smallest artifact repository in our sample, is subject to fewer security concerns than Maven Central or the NPM Registry. However, for all repositories, we found that vulnerabilities may influence libraries via long transitive dependency chains and that a vulnerability in a single library may affect thousands of other libraries transitively.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3472811","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

In modern-day software development, a vast amount of public software libraries enable the reuse of existing implementations for reoccurring tasks and common problems. While this practice does yield significant benefits in productivity, it also puts an increasing amount of responsibility on library maintainers. If a security flaw is contained in a library release, then it may directly affect thousands of applications that are depending on it. Given the fact that libraries are often interconnected, meaning they are depending on other libraries for certain sub-tasks, the impact of a single vulnerability may be large, and is hard to quantify. Recent studies have shown that developers in fact struggle with upgrading vulnerable dependencies, despite ever-increasing support by automated tools, which are often publicly available. With our work, we aim to improve on this situation by providing an in-depth analysis on how developers handle vulnerability patches and dependency upgrades. To do so, we contribute a miner for artifact dependency graphs supporting different programming platforms, which annotates the graph with vulnerability information. We execute our application and generate a data set for the artifact repositories Maven Central, NuGet.org, and the NPM Registry, with the resulting graph being stored in a Neo4j graph database. Afterwards, we conduct an extensive analysis of our data, which is aimed at understanding the impact of vulnerabilities for the three different repositories. Finally, we summarize the resulting risks and derive possible mitigation strategies for library maintainers and software developers based on our findings. We found that NuGet.org, the smallest artifact repository in our sample, is subject to fewer security concerns than Maven Central or the NPM Registry. However, for all repositories, we found that vulnerabilities may influence libraries via long transitive dependency chains and that a vulnerability in a single library may affect thousands of other libraries transitively.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

分析漏洞对不同工件存储库的直接和传递影响

在现代软件开发中，大量的公共软件库可以重用现有的实现来处理重复出现的任务和常见问题。虽然这种做法确实在生产力方面产生了显著的好处，但它也增加了库维护人员的责任。如果库发行版中包含安全缺陷，那么它可能直接影响依赖于它的数千个应用程序。考虑到库通常是相互关联的，这意味着它们依赖于其他库来完成某些子任务，单个漏洞的影响可能很大，并且很难量化。最近的研究表明，尽管自动化工具的支持不断增加，但开发人员实际上仍在努力升级易受攻击的依赖项，这些工具通常是公开可用的。通过我们的工作，我们的目标是通过深入分析开发人员如何处理漏洞补丁和依赖项升级来改善这种情况。为此，我们为支持不同编程平台的工件依赖图提供了一个挖掘器，它用漏洞信息注释了图。我们执行我们的应用程序并为工件存储库Maven Central、NuGet.org和NPM Registry生成数据集，生成的图形存储在Neo4j图形数据库中。之后，我们对数据进行了广泛的分析，目的是了解漏洞对三个不同存储库的影响。最后，我们总结了由此产生的风险，并根据我们的发现为库维护者和软件开发人员推导出可能的缓解策略。我们发现，在我们的示例中最小的工件存储库NuGet.org受到的安全问题比Maven Central或NPM Registry要少。然而，对于所有存储库，我们发现漏洞可能会通过长传递依赖链影响库，并且单个库中的漏洞可能会传递地影响数千个其他库。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Digital Threats: Research and Practice

自引率

0.00%

发文量