The increasing interest in open source software has led to the emergence of large package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to security vulnerabilities that may expose dependent packages through explicitly declared dependencies. This article empirically studies security vulnerabilities affecting npm and RubyGems packages. We analyse how and when these vulnerabilities are discovered and fixed, and how their prevalence changes over time. We also analyse how vulnerable packages expose their direct and indirect dependents to vulnerabilities. We distinguish between two types of dependents: packages distributed via the package manager, and external GitHub projects. Compared to RubyGems, we observe that the number of vulnerabilities is increasing faster in npm, but vulnerabilities are also discovered faster in npm. For both package distributions, the time required to discover vulnerabilities is increasing, but npm is improving the time needed to fix vulnerabilities. A large proportion of external GitHub projects are exposed to vulnerabilities coming from direct or indirect dependencies. Around one out of three direct vulnerable dependencies to which projects or packages are exposed could be avoided, if software developers would update their dependencies to more recent releases within the same major release range.
翻译:由于对开放源码软件的兴趣日益浓厚,因此出现了大量可重复使用的软件库(如 npm 和 RubyGems)的软件包分布。这些软件包可能存在安全弱点,可能通过明确宣布的相互依存关系暴露出依赖性的软件包。本篇文章对影响npm 和 RubyGems 软件包的安全弱点进行了经验性研究。我们分析了这些弱点是如何和何时发现和固定的,以及这些弱点随时间而变化的。我们还分析了脆弱的软件包如何使其直接和间接依赖者暴露于脆弱性。我们区分了两类受扶养人:通过软件包管理者分发的软件包和外部GitHub项目。与RubyGiHub项目相比,我们观察到在npm的脆弱数目增加得更快,但在 npm中也发现了脆弱性。对于这两个软件包的分发而言,发现脆弱性所需的时间正在增加,但Npm正在改善修复脆弱性所需的时间。大部分外部的吉伯项目都暴露于直接或间接依赖性的脆弱性。我们区分了两类受依赖者。如果软件开发者能够避免项目或包件的三种直接依赖性,如果软件开发者能够更新其最近的释放范围,那么,那么,那么,那么,那么,那么,那么,那么,就有可能避免这些受这些受这种依赖关系中的三种直接脆弱的直接依赖性项目或包件中的一种。
相关内容
微信扫码咨询专知VIP会员