Corpus ID: 235421650

On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks

  title={On the Impact of Security Vulnerabilities in the npm and RubyGems Dependency Networks},
  author={Ahmed Zerouali and T. Mens and Alexandre Decan and Coen De Roover},
The increasing interest in open source software has led to the emergence of large package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to security vulnerabilities that may expose dependent packages through explicitly declared dependencies. This article empirically studies security vulnerabilities affecting npm and RubyGems packages. We analyse how and when these vulnerabilities are discovered and fixed, and how their prevalence… Expand


On the Impact of Security Vulnerabilities in the npm Package Dependency Network
An empirical study of nearly 400 security reports over a 6-year period in the npm dependency network containing over 610k JavaScript packages is presented and guidelines for package maintainers and tool developers to improve the process of dealing with security issues are provided. Expand
Small World with High Risks: A Study of Security Threats in the npm Ecosystem
Security risks for users of npm are studied by systematically analyzing dependencies between packages, the maintainers responsible for these packages, and publicly reported security issues to provide evidence that npm suffers from single points of failure and that unmaintained packages threaten large code bases. Expand
Empirical Analysis of Security Vulnerabilities in Python Packages
An empirical study of 550 vulnerability reports affecting 252 Python packages in the Python ecosystem (PyPi), which shows that the discovered vulnerabilities in Python packages are increasing over time, and they take more than 3 years to be discovered. Expand
Detection, assessment and mitigation of vulnerabilities in open source dependencies
The lessons learned when maturing the tool from a research prototype to an industrial-grade solution are reported on and an empirical study was conducted to compare its detection capabilities with those of OWASP Dependency Check. Expand
Out of sight, out of mind? How vulnerable dependencies affect open-source projects
The results highlight the importance of managing the number of dependencies and performing timely updates, and indicate some areas that can be prioritized to improve security in wide range of projects, such as prevention and mitigation of Denial-of-Service attacks. Expand
Vulnerable open source dependencies: counting those that matter
This case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements. Expand
Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities
It appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them, and a strong correlation between a higher number of dependencies and vulnerabilities is found. Expand
Structure and Evolution of Package Dependency Networks
The results indicate that the number of transitive dependencies for JavaScript has grown 60% over the last year, suggesting that developers should look more carefully into their dependencies to understand what exactly is included. Expand
Measuring Dependency Freshness in Software Systems
A system-level metric based on an industry benchmark is proposed and investigated, showing that the measurements are considered useful, and that systems using outdated dependencies are four times as likely to have security issues as opposed to systems that are up-to-date. Expand
Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities
This work investigated whether software metrics obtained from source code and development history are discriminative and predictive of vulnerable code locations, and predicted over 80 percent of the known vulnerable files with less than 25 percent false positives for both projects. Expand