{"title":"解释型程序设计语言软件漏洞的相似性","authors":"Jukka Ruohonen","doi":"10.1109/PIC53636.2021.9687053","DOIUrl":null,"url":null,"abstract":"This short paper examines the similarities and differences of software vulnerabilities reported for interpreted programming languages. Based on a sample of vulnerabilities from four software repositories (Maven, npm, PyPI, and RubyGems), the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) are used for comparing the vulnerabilities across the repositories. According to the results, (i) the severity of the vulnerabilities is similar across the repositories; the median CVSS v.3 base scores are around seven. Similarity can be observed also in terms of the weaknesses underneath the vulnerabilities. In particular, (ii) cross-site scripting and input validation have been the most typical weaknesses across all four repositories. The same applies to path-traversal bugs, unauthorized accesses, and resource management bugs. With these observations, the paper contributes to the recent active research on language-specific software repositories.","PeriodicalId":297239,"journal":{"name":"2021 IEEE International Conference on Progress in Informatics and Computing (PIC)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"The Similarities of Software Vulnerabilities for Interpreted Programming Languages\",\"authors\":\"Jukka Ruohonen\",\"doi\":\"10.1109/PIC53636.2021.9687053\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"This short paper examines the similarities and differences of software vulnerabilities reported for interpreted programming languages. Based on a sample of vulnerabilities from four software repositories (Maven, npm, PyPI, and RubyGems), the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) are used for comparing the vulnerabilities across the repositories. According to the results, (i) the severity of the vulnerabilities is similar across the repositories; the median CVSS v.3 base scores are around seven. Similarity can be observed also in terms of the weaknesses underneath the vulnerabilities. In particular, (ii) cross-site scripting and input validation have been the most typical weaknesses across all four repositories. The same applies to path-traversal bugs, unauthorized accesses, and resource management bugs. With these observations, the paper contributes to the recent active research on language-specific software repositories.\",\"PeriodicalId\":297239,\"journal\":{\"name\":\"2021 IEEE International Conference on Progress in Informatics and Computing (PIC)\",\"volume\":\"31 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-12-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 IEEE International Conference on Progress in Informatics and Computing (PIC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/PIC53636.2021.9687053\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE International Conference on Progress in Informatics and Computing (PIC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PIC53636.2021.9687053","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
The Similarities of Software Vulnerabilities for Interpreted Programming Languages
This short paper examines the similarities and differences of software vulnerabilities reported for interpreted programming languages. Based on a sample of vulnerabilities from four software repositories (Maven, npm, PyPI, and RubyGems), the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) are used for comparing the vulnerabilities across the repositories. According to the results, (i) the severity of the vulnerabilities is similar across the repositories; the median CVSS v.3 base scores are around seven. Similarity can be observed also in terms of the weaknesses underneath the vulnerabilities. In particular, (ii) cross-site scripting and input validation have been the most typical weaknesses across all four repositories. The same applies to path-traversal bugs, unauthorized accesses, and resource management bugs. With these observations, the paper contributes to the recent active research on language-specific software repositories.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
