Dependency Practices for Vulnerability Mitigation
Abbas Javan Jafari, Diego Elias Costa, Ahmad Abdellatif, Emad Shihab
TL;DR
This paper analyzes npm dependencies to identify factors influencing how quickly packages respond to vulnerabilities, proposing a predictive model to enhance dependency security practices.
Contribution
It introduces a model predicting dependency response speed to vulnerabilities using nine features, based on analysis of over 450 vulnerabilities and 200,000 npm packages.
Findings
Identified key features influencing vulnerability response times
Developed a prediction model for rapid vulnerability fix adoption
Provided insights to improve dependency management practices
Abstract
Relying on dependency packages accelerates software development, but it also increases the exposure to security vulnerabilities that may be present in dependencies. While developers have full control over which dependency packages (and which version) they use, they have no control over the dependencies of their dependencies. Such transitive dependencies, which often amount to a greater number than direct dependencies, can become infected with vulnerabilities and put software projects at risk. To mitigate this risk, Practitioners need to select dependencies that respond quickly to vulnerabilities to prevent the propagation of vulnerable code to their project. To identify such dependencies, we analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware Engineering Research · Information and Cyber Security · Software Reliability and Analysis Research