Open Source, Open Threats? Investigating Security Challenges in Open-Source Software

TL;DR

This study analyzes a large dataset of OSS vulnerabilities, revealing a rapid increase in reported issues, longer vulnerability lifespans, and ecosystem-specific security challenges, especially malicious packages, highlighting critical security concerns in open-source development.

Contribution

It provides a comprehensive analysis of OSS vulnerability trends, identifying key CWEs, ecosystem-specific patterns, and the prevalence of malicious packages, offering insights for improving security practices.

Findings

Reported vulnerabilities increased by 98% annually.

Vulnerability lifespan grew by 85%, indicating declining security.

Malicious packages constitute 49% of NPM reports.

Abstract

Open-source software (OSS) has become increasingly more popular across different domains. However, this rapid development and widespread adoption come with a security cost. The growing complexity and openness of OSS ecosystems have led to increased exposure to vulnerabilities and attack surfaces. This paper investigates the trends and patterns of reported vulnerabilities within OSS platforms, focusing on the implications of these findings for security practices. To understand the dynamics of OSS vulnerabilities, we analyze a comprehensive dataset comprising 31,267 unique vulnerability reports from GitHub's advisory database and Snyk.io, belonging to 14,675 packages across 10 programming languages. Our analysis reveals a significant surge in reported vulnerabilities, increasing at an annual rate of 98%, far outpacing the 25% average annual growth in the number of open-source software (OSS) packages. Additionally, we observe an 85% increase in the average lifespan of vulnerabilities across ecosystems during the studied period, indicating a potential decline in security. We identify the most prevalent Common Weakness Enumerations (CWEs) across programming languages and find that, on average, just seven CWEs are responsible for over 50% of all reported vulnerabilities. We further examine these commonly observed CWEs and highlight ecosystem-specific trends. Notably, we find that vulnerabilities associated with intentionally malicious packages comprise 49% of reports in the NPM ecosystem and 14% in PyPI, an alarming indication of targeted attacks within package repositories. We conclude with an in-depth discussion of the characteristics and attack vectors associated with these malicious packages.