Towards Measuring Vulnerabilities and Exposures in Open-Source Packages
Tobias Dam, Sebastian Neumaier
TL;DR
This paper provides a quantitative analysis of vulnerabilities in open-source packages, examining their frequency, distribution, and evolution across popular repositories and package managers to understand their impact.
Contribution
It offers an up-to-date overview of open-source vulnerabilities, mapping CVEs to libraries and analyzing their prevalence across programming languages.
Findings
Vulnerabilities are widespread in popular open-source packages.
Certain programming languages have higher vulnerability frequencies.
Vulnerabilities tend to increase over time in open-source ecosystems.
Abstract
Much of the current software depends on open-source components, which in turn have complex dependencies on other open-source libraries. Vulnerabilities in open source therefore have potentially huge impacts. The goal of this work is to get a quantitative overview of the frequency and evolution of existing vulnerabilities in popular software repositories and package managers. To this end, we provide an up-to-date overview of the open source landscape and its most popular package managers, we discuss approaches to map entries of the Common Vulnerabilities and Exposures (CVE) list to open-source libraries and we show the frequency and distribution of existing CVE entries with respect to popular programming languages.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSecurity and Verification in Computing · Software Engineering Research · Web Application Security Vulnerabilities