On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

Ahmed Zerouali
Ahmed ZeroualiPostdoc Researcher
On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks Ahmed Zerouali, Tom Mens, Alexandre Decan, Coen De Roover The International Conference on Software Maintenance and Evolution Limassol, Cyprus - October 7th, 2022 Published in Empirical Software Engineering Volume 27, Number 107 (2022). https://doi.org/10.1007/s10664-022-10154-1
Background Credits: libraries.io 2
Motivation 3 Heartbleed
Motivation 4 Top 10 Web Application Security Risks Credits: OWASP
5 Goal Understand how vulnerabilities spread in software dependency trees
Dependency network 6 Eventually
Case studies 7
Example dependency constraints 8 Semantic Versioning package.json
Example: tilde ~ 9 ~1.2.0 After some time> {1.0.0, 1.1.0, 1.2.0, 1.2.1} 1.2.1 ~1.2.0 {1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0} 1.2.1 T1 T2
Example: caret ^ 10 ^1.2.0 After some time> {1.0.0, 1.1.0, 1.2.0, 1.2.1} 1.2.1 ^1.2.0 {1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0} 1.3.0 T1 T2
11 1.2.1 After some time > 1.3.0 T1 T2 Example ^1.2.0 ^1.2.0
12 Case studies Data extraction date: 12 January 2020 < Packages > 748k 94k 10k Identified transitive dependencies for packages and GitHub projects 13k
Case studies: vulnerability reports 13 2,188 vulnerability reports 686 vulnerability reports
RQ0: How prevalent are disclosed vulnerabilities in npm and RubyGems packages? 14 Evolution number of vulnerabilities affecting npm and RubyGems packages, grouped by severity. - The number of vulnerabilities is increasing exponentially for npm and linearly for RubyGems. - The proportion of high and critical vulnerabilities seems to increase over time.
RQ1 : How much time elapses until a vulnerability is disclosed? 15 Cumulative proportion of disclosed vulnerabilities since the first affected package release - In npm, critical vulnerabilities are disclosed faster. - Vulnerabilities in npm are disclosed faster than in RubyGems. - In npm, Malicious Package vulnerabilities are disclosed faster than other vulnerability types.
RQ2 : For how long do packages remain affected by disclosed vulnerabilities? 16 - Disclosed vulnerabilities in npm take a considerably shorter time to fix since the first affected release. - For npm, 17.8% of the fixed vulnerabilities needed more than 90 days after their disclosure to be fixed, while this proportion is 10% for RubyGems - Half of all disclosed vulnerabilities take more than 4 years to fix since their introduction, compared to 7 years for disclosed RubyGems vulnerabilities.
RQ2 : For how long do packages remain affected by disclosed vulnerabilities? 17 Proportion of fixed vulnerabilities per severity, grouped by the type of the first unaffected release. - 65% of all disclosed vulnerabilities are fixed in patch releases. - The severity of a vulnerability does not seem to have an impact on the first release type in which the vulnerability is fixed.
RQ3 : To what extent are dependents exposed to their vulnerable dependencies? 18 One vulnerable package can expose a median of: - 11 direct dependent packages (npm) - 12 direct dependent packages (RubyGems) In total, one single vulnerable package is responsible for exposing: - a median of 21 and a maximum of 213,851 (67.8%) npm packages; - a median of 19 and a maximum of 22,233 (60.2%) RubyGems packages, respectively.
RQ3 : To what extent are dependents exposed to their vulnerable dependencies? 19 Monthly evolution of the distribution of the number of vulnerabilities coming from transitive dependencies of all studied packages. - Older packages are exposed to more vulnerabilities coming from their dependencies than recent ones. - The introduction of “caret ^” constraint in 2014 led to a decrease in the number of vulnerabilities in npm supply chain.
RQ4 : How are vulnerabilities spread in the dependency tree? 20 - The number of dependency vulnerabilities for packages decreases at deeper levels of the dependency tree. - Vulnerable dependencies continue to be found at the deepest levels (24 for npm and 16 for RubyGems). Distribution of the number of vulnerabilities found in package dependencies, grouped by dependency tree level
RQ5 : To what extent are dependents exposed to their vulnerable dependencies at their release time? 21 - More than 50% of the package releases that are exposed to vulnerabilities via their dependencies at the observation date, were not exposed to any disclosed vulnerabilities when they were first created. - At the time of their last commit, GitHub projects that make use of RubyGems packages had proportionally more vulnerable direct dependencies than projects with npm dependencies (33.9% compared to 22.1%).
Conclusion 22 Zerouali, A., Mens, T., Decan, A. and De Roover, C. On the impact of security vulnerabilities in the npm and RubyGems dependency networks. Empirical Software Engineering Volume 27, Number 107 (2022). - The number of vulnerabilities is increasing over time, alongside the number of vulnerable packages and their exposed dependents. - More effort is needed. All parties can help. https://doi.org/10.1007/s10664-022-10154-1
RQ0: How prevalent are disclosed vulnerabilities in npm and RubyGems packages? 23 Top 10 vulnerability types
RQ3 : To what extent are dependents exposed to their vulnerable dependencies? 24 - 8.1% of the direct dependencies of GitHub projects on npm are vulnerable, while this is 10.9% for RubyGems. - npm-dependent projects have more highly vulnerable direct dependencies than RubyGems-dependent projects. - Only 3.2% of the indirect npm dependencies of GitHub projects are vulnerable, while this is more than three times higher (10.5%) for RubyGems.
1 of 24

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

Download to read offline
Software

Slides for my presentation in ICSME 2022

Ahmed Zerouali
Ahmed ZeroualiPostdoc Researcher

Recommended

Comparing dependency issues across software package distributions (FOSDEM 2020) by
Comparing dependency issues across software package distributions (FOSDEM 2020)Comparing dependency issues across software package distributions (FOSDEM 2020)
Comparing dependency issues across software package distributions (FOSDEM 2020)Tom Mens
179 views29 slides
Empirically Analysing the Socio-Technical Health of Software Package Managers by
Empirically Analysing the Socio-Technical Health of Software Package ManagersEmpirically Analysing the Socio-Technical Health of Software Package Managers
Empirically Analysing the Socio-Technical Health of Software Package ManagersTom Mens
645 views54 slides
FOSDEM 2020 Presentation: Comparing dependency management issues across packa... by
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...Fasten Project
41 views29 slides
Prevalence and Evolution of License Violations in npm and RubyGems Dependency... by
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Prevalence and Evolution of License Violations in npm and RubyGems Dependency...
Prevalence and Evolution of License Violations in npm and RubyGems Dependency...Ahmed Zerouali
13 views24 slides
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,... by
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...
On the Relation between Outdated Docker Containers, Severity Vulnerabilities,...Tom Mens
508 views26 slides
Is my software ecosystem healthy? It depends! by
Is my software ecosystem healthy? It depends!Is my software ecosystem healthy? It depends!
Is my software ecosystem healthy? It depends!Tom Mens
230 views69 slides

More Related Content

Similar to On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

Node.js security tour by
Node.js security tourNode.js security tour
Node.js security tourGiacomo De Liberali
90 views42 slides
On the fragility of open source software packaging ecosystems by
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystemsTom Mens
226 views51 slides
On backporting practices in package dependency networks by
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networksTom Mens
84 views15 slides
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve... by
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Tom Mens
582 views29 slides
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022 by
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Brian Vermeer
34 views42 slides
Automated worm fingerprinting by
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprintingUltraUploader
290 views16 slides

Similar to On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks(20)

Node.js security tour by Giacomo De Liberali
Node.js security tourNode.js security tour
Node.js security tour
Giacomo De Liberali90 views
On the fragility of open source software packaging ecosystems by Tom Mens
On the fragility of open source software packaging ecosystemsOn the fragility of open source software packaging ecosystems
On the fragility of open source software packaging ecosystems
Tom Mens226 views
On backporting practices in package dependency networks by Tom Mens
On backporting practices in package dependency networksOn backporting practices in package dependency networks
On backporting practices in package dependency networks
Tom Mens84 views
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve... by Tom Mens
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Towards Laws of Software Ecosystem Evolution: An Empirical Comparison of Seve...
Tom Mens582 views
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022 by Brian Vermeer
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Stranger Danger: Your Java Attack Surface Just Got Bigger | JBCNConf 2022
Brian Vermeer34 views
Automated worm fingerprinting by UltraUploader
Automated worm fingerprintingAutomated worm fingerprinting
Automated worm fingerprinting
UltraUploader290 views
An Empirical Analysis of Technical Lag in npm Package Dependencies by Ahmed Zerouali
An Empirical Analysis of Technical Lag in npm Package DependenciesAn Empirical Analysis of Technical Lag in npm Package Dependencies
An Empirical Analysis of Technical Lag in npm Package Dependencies
Ahmed Zerouali338 views
NPM ecosystem threats by Giacomo De Liberali
NPM ecosystem threatsNPM ecosystem threats
NPM ecosystem threats
Giacomo De Liberali218 views
On the health of the npm packaging ecosystem by Tom Mens
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens351 views
Conficker summary-review-07may10-en by losalamos
Conficker summary-review-07may10-enConficker summary-review-07may10-en
Conficker summary-review-07may10-en
losalamos664 views
RIFDHY RM ( Cybersecurity ).pdf by RifDhy22
RIFDHY RM ( Cybersecurity ).pdfRIFDHY RM ( Cybersecurity ).pdf
RIFDHY RM ( Cybersecurity ).pdf
RifDhy2212 views
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems by Tom Mens
Comparing semantic versioning practices in Cargo, npm, Packagist and RubygemsComparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Comparing semantic versioning practices in Cargo, npm, Packagist and Rubygems
Tom Mens239 views
Rise of software supply chain attack by Yadnyawalkya Tale
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
Yadnyawalkya Tale88 views
Open source cloud native security with threat mapper by LibbySchulze
Open source cloud native security with threat mapperOpen source cloud native security with threat mapper
Open source cloud native security with threat mapper
LibbySchulze271 views
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk by DevOps.com
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com78 views
On the evolution of technical lag in the npm package dependency network by econst
On the evolution of technical lag in the npm package dependency networkOn the evolution of technical lag in the npm package dependency network
On the evolution of technical lag in the npm package dependency network
econst352 views
Fasten Industry Meeting with GitHub about Dependancy Management by Fasten Project
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project338 views
Evolving Software Ecosystems: Health and beyond by econst
Evolving Software Ecosystems: Health and beyondEvolving Software Ecosystems: Health and beyond
Evolving Software Ecosystems: Health and beyond
econst381 views
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo... by The Linux Foundation
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
The Linux Foundation1.2K views
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ... by DevOps Indonesia
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia361 views

More from Ahmed Zerouali

Analysis And Observations Of The Evolution Of Testing Library Usage by
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library UsageAhmed Zerouali
4 views19 slides
On Popularity and Quality Metrics of npm Packages by
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm PackagesAhmed Zerouali
18 views30 slides
A multi-dimensional analysis of technical lag in Debian-based Docker images by
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker imagesAhmed Zerouali
88 views30 slides
Evolution of Technical Lag in DockerHub images - Benevol20 by
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20Ahmed Zerouali
121 views23 slides
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ... by
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...Ahmed Zerouali
97 views67 slides
Technical Lag in Software Ecosystems by
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software EcosystemsAhmed Zerouali
167 views18 slides

More from Ahmed Zerouali(13)

Analysis And Observations Of The Evolution Of Testing Library Usage by Ahmed Zerouali
Analysis And Observations Of The Evolution Of Testing Library UsageAnalysis And Observations Of The Evolution Of Testing Library Usage
Analysis And Observations Of The Evolution Of Testing Library Usage
Ahmed Zerouali4 views
On Popularity and Quality Metrics of npm Packages by Ahmed Zerouali
On Popularity and Quality Metrics of npm PackagesOn Popularity and Quality Metrics of npm Packages
On Popularity and Quality Metrics of npm Packages
Ahmed Zerouali18 views
A multi-dimensional analysis of technical lag in Debian-based Docker images by Ahmed Zerouali
A multi-dimensional analysis of technical lag in Debian-based Docker imagesA multi-dimensional analysis of technical lag in Debian-based Docker images
A multi-dimensional analysis of technical lag in Debian-based Docker images
Ahmed Zerouali88 views
Evolution of Technical Lag in DockerHub images - Benevol20 by Ahmed Zerouali
Evolution of Technical Lag in DockerHub images - Benevol20Evolution of Technical Lag in DockerHub images - Benevol20
Evolution of Technical Lag in DockerHub images - Benevol20
Ahmed Zerouali121 views
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ... by Ahmed Zerouali
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
PhD public defense: A Measurement Framework for Analyzing Technical Lag in ...
Ahmed Zerouali97 views
Technical Lag in Software Ecosystems by Ahmed Zerouali
Technical Lag in Software EcosystemsTechnical Lag in Software Ecosystems
Technical Lag in Software Ecosystems
Ahmed Zerouali167 views
Technical lag in npm and docker ecosystems by Ahmed Zerouali
Technical lag in npm and docker ecosystemsTechnical lag in npm and docker ecosystems
Technical lag in npm and docker ecosystems
Ahmed Zerouali30 views
On the Diversity of Software Package Popularity Metrics: An Empirical Study o... by Ahmed Zerouali
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
On the Diversity of Software Package Popularity Metrics: An Empirical Study o...
Ahmed Zerouali40 views
ConPan: A Tool to Analyze Packages in Software Containers by Ahmed Zerouali
ConPan: A Tool to Analyze Packages in Software ContainersConPan: A Tool to Analyze Packages in Software Containers
ConPan: A Tool to Analyze Packages in Software Containers
Ahmed Zerouali29 views
Technical Lag in Docker Containers by Ahmed Zerouali
Technical Lag in Docker ContainersTechnical Lag in Docker Containers
Technical Lag in Docker Containers
Ahmed Zerouali47 views
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects by Ahmed Zerouali
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali27 views
An Empirical Comparison of the Development History of CloudStack and Eucalyptus by Ahmed Zerouali
An Empirical Comparison of the Development History of CloudStack and EucalyptusAn Empirical Comparison of the Development History of CloudStack and Eucalyptus
An Empirical Comparison of the Development History of CloudStack and Eucalyptus
Ahmed Zerouali37 views
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects by Ahmed Zerouali
Analyzing the Evolution of Testing Library Usage in Open Source Java ProjectsAnalyzing the Evolution of Testing Library Usage in Open Source Java Projects
Analyzing the Evolution of Testing Library Usage in Open Source Java Projects
Ahmed Zerouali26 views

Recently uploaded

Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Lisi Hocke
30 views124 slides
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Donato Onofri
825 views34 slides
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...Marc Müller
38 views62 slides
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema by
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDeltares
17 views13 slides
Headless JS UG Presentation.pptx by
Headless JS UG Presentation.pptxHeadless JS UG Presentation.pptx
Headless JS UG Presentation.pptxJack Spektor
7 views24 slides
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...sparkfabrik
5 views46 slides

Recently uploaded(20)

Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium... by Lisi Hocke
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Team Transformation Tactics for Holistic Testing and Quality (Japan Symposium...
Lisi Hocke30 views
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... by Donato Onofri
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Donato Onofri825 views
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by Marc Müller
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
Marc Müller38 views
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema by Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares17 views
Headless JS UG Presentation.pptx by Jack Spektor
Headless JS UG Presentation.pptxHeadless JS UG Presentation.pptx
Headless JS UG Presentation.pptx
Jack Spektor7 views
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with... by sparkfabrik
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
20231129 - Platform @ localhost 2023 - Application-driven infrastructure with...
sparkfabrik5 views
360 graden fabriek by info33492
360 graden fabriek360 graden fabriek
360 graden fabriek
info3349238 views
FIMA 2023 Neo4j & FS - Entity Resolution.pptx by Neo4j
FIMA 2023 Neo4j & FS - Entity Resolution.pptxFIMA 2023 Neo4j & FS - Entity Resolution.pptx
FIMA 2023 Neo4j & FS - Entity Resolution.pptx
Neo4j7 views
Generic or specific? Making sensible software design decisions by Bert Jan Schrijver
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
Bert Jan Schrijver6 views
Short_Story_PPT.pdf by utkarshsatishkumarsh
Short_Story_PPT.pdfShort_Story_PPT.pdf
Short_Story_PPT.pdf
utkarshsatishkumarsh5 views
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... by Deltares
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
Deltares14 views
SUGCON ANZ Presentation V2.1 Final.pptx by Jack Spektor
SUGCON ANZ Presentation V2.1 Final.pptxSUGCON ANZ Presentation V2.1 Final.pptx
SUGCON ANZ Presentation V2.1 Final.pptx
Jack Spektor22 views
DSD-INT 2023 Process-based modelling of salt marsh development coupling Delft... by Deltares
DSD-INT 2023 Process-based modelling of salt marsh development coupling Delft...DSD-INT 2023 Process-based modelling of salt marsh development coupling Delft...
DSD-INT 2023 Process-based modelling of salt marsh development coupling Delft...
Deltares7 views
Agile 101 by John Valentino
Agile 101Agile 101
Agile 101
John Valentino7 views
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h... by Deltares
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...
DSD-INT 2023 Exploring flash flood hazard reduction in arid regions using a h...
Deltares5 views
Keep by Geniusee
KeepKeep
Keep
Geniusee75 views
Quality Engineer: A Day in the Life by John Valentino
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the Life
John Valentino6 views
Programming Field by thehardtechnology
Programming FieldProgramming Field
Programming Field
thehardtechnology5 views
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge... by Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
DSD-INT 2023 Delft3D FM Suite 2024.01 2D3D - New features + Improvements - Ge...
Deltares17 views
Sprint 226 by ManageIQ
Sprint 226Sprint 226
Sprint 226
ManageIQ5 views

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

  • 1. On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks Ahmed Zerouali, Tom Mens, Alexandre Decan, Coen De Roover The International Conference on Software Maintenance and Evolution Limassol, Cyprus - October 7th, 2022 Published in Empirical Software Engineering Volume 27, Number 107 (2022). https://doi.org/10.1007/s10664-022-10154-1
  • 4. Motivation 4 Top 10 Web Application Security Risks Credits: OWASP
  • 5. 5 Goal Understand how vulnerabilities spread in software dependency trees
  • 9. Example: tilde ~ 9 ~1.2.0 After some time> {1.0.0, 1.1.0, 1.2.0, 1.2.1} 1.2.1 ~1.2.0 {1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0} 1.2.1 T1 T2
  • 10. Example: caret ^ 10 ^1.2.0 After some time> {1.0.0, 1.1.0, 1.2.0, 1.2.1} 1.2.1 ^1.2.0 {1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0} 1.3.0 T1 T2
  • 11. 11 1.2.1 After some time > 1.3.0 T1 T2 Example ^1.2.0 ^1.2.0
  • 12. 12 Case studies Data extraction date: 12 January 2020 < Packages > 748k 94k 10k Identified transitive dependencies for packages and GitHub projects 13k
  • 13. Case studies: vulnerability reports 13 2,188 vulnerability reports 686 vulnerability reports
  • 14. RQ0: How prevalent are disclosed vulnerabilities in npm and RubyGems packages? 14 Evolution number of vulnerabilities affecting npm and RubyGems packages, grouped by severity. - The number of vulnerabilities is increasing exponentially for npm and linearly for RubyGems. - The proportion of high and critical vulnerabilities seems to increase over time.
  • 15. RQ1 : How much time elapses until a vulnerability is disclosed? 15 Cumulative proportion of disclosed vulnerabilities since the first affected package release - In npm, critical vulnerabilities are disclosed faster. - Vulnerabilities in npm are disclosed faster than in RubyGems. - In npm, Malicious Package vulnerabilities are disclosed faster than other vulnerability types.
  • 16. RQ2 : For how long do packages remain affected by disclosed vulnerabilities? 16 - Disclosed vulnerabilities in npm take a considerably shorter time to fix since the first affected release. - For npm, 17.8% of the fixed vulnerabilities needed more than 90 days after their disclosure to be fixed, while this proportion is 10% for RubyGems - Half of all disclosed vulnerabilities take more than 4 years to fix since their introduction, compared to 7 years for disclosed RubyGems vulnerabilities.
  • 17. RQ2 : For how long do packages remain affected by disclosed vulnerabilities? 17 Proportion of fixed vulnerabilities per severity, grouped by the type of the first unaffected release. - 65% of all disclosed vulnerabilities are fixed in patch releases. - The severity of a vulnerability does not seem to have an impact on the first release type in which the vulnerability is fixed.
  • 18. RQ3 : To what extent are dependents exposed to their vulnerable dependencies? 18 One vulnerable package can expose a median of: - 11 direct dependent packages (npm) - 12 direct dependent packages (RubyGems) In total, one single vulnerable package is responsible for exposing: - a median of 21 and a maximum of 213,851 (67.8%) npm packages; - a median of 19 and a maximum of 22,233 (60.2%) RubyGems packages, respectively.
  • 19. RQ3 : To what extent are dependents exposed to their vulnerable dependencies? 19 Monthly evolution of the distribution of the number of vulnerabilities coming from transitive dependencies of all studied packages. - Older packages are exposed to more vulnerabilities coming from their dependencies than recent ones. - The introduction of “caret ^” constraint in 2014 led to a decrease in the number of vulnerabilities in npm supply chain.
  • 20. RQ4 : How are vulnerabilities spread in the dependency tree? 20 - The number of dependency vulnerabilities for packages decreases at deeper levels of the dependency tree. - Vulnerable dependencies continue to be found at the deepest levels (24 for npm and 16 for RubyGems). Distribution of the number of vulnerabilities found in package dependencies, grouped by dependency tree level
  • 21. RQ5 : To what extent are dependents exposed to their vulnerable dependencies at their release time? 21 - More than 50% of the package releases that are exposed to vulnerabilities via their dependencies at the observation date, were not exposed to any disclosed vulnerabilities when they were first created. - At the time of their last commit, GitHub projects that make use of RubyGems packages had proportionally more vulnerable direct dependencies than projects with npm dependencies (33.9% compared to 22.1%).
  • 22. Conclusion 22 Zerouali, A., Mens, T., Decan, A. and De Roover, C. On the impact of security vulnerabilities in the npm and RubyGems dependency networks. Empirical Software Engineering Volume 27, Number 107 (2022). - The number of vulnerabilities is increasing over time, alongside the number of vulnerable packages and their exposed dependents. - More effort is needed. All parties can help. https://doi.org/10.1007/s10664-022-10154-1
  • 23. RQ0: How prevalent are disclosed vulnerabilities in npm and RubyGems packages? 23 Top 10 vulnerability types
  • 24. RQ3 : To what extent are dependents exposed to their vulnerable dependencies? 24 - 8.1% of the direct dependencies of GitHub projects on npm are vulnerable, while this is 10.9% for RubyGems. - npm-dependent projects have more highly vulnerable direct dependencies than RubyGems-dependent projects. - Only 3.2% of the indirect npm dependencies of GitHub projects are vulnerable, while this is more than three times higher (10.5%) for RubyGems.