Tracing Vulnerability Propagation Across Open Source Software Ecosystems
Jukka Ruohonen, Qusai Ramadan
TL;DR
This study analyzes how over 84,000 vulnerabilities have propagated across 28 open source ecosystems, revealing complex, lengthy propagation sequences with little correlation to ecosystem involvement, thereby enhancing understanding of software security risks.
Contribution
It provides a comprehensive traceability analysis of vulnerability propagation across multiple open source ecosystems, highlighting the complexity and delays involved.
Findings
Propagation sequences are generally complex and lengthy.
No clear correlation between propagation delays and ecosystem involvement.
GitHub, Debian, and Ubuntu are prominent in vulnerability propagation.
Abstract
The paper presents a traceability analysis of how over 84 thousand vulnerabilities have propagated across 28 open source software ecosystems. According to the results, the propagation sequences have been complex in general, although GitHub, Debian, and Ubuntu stand out. Furthermore, the associated propagation delays have been lengthy, and these do not correlate well with the number of ecosystems involved in the associated sequences. Nor does the presence or absence of particularly ecosystems in the sequences yield clear, interpretable patterns. With these results, the paper contributes to the overlapping knowledge bases about software ecosystems, traceability, and vulnerabilities.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.