CVE Breadcrumbs: Tracking Vulnerabilities Through Versioned Apache Libraries

TL;DR

This paper analyzes the history of security vulnerabilities in Apache libraries by compiling a large dataset of CVEs and CWEs, revealing trends in vulnerability recurrence, disclosure, and remediation to improve security practices.

Contribution

It provides a comprehensive dataset and empirical analysis of vulnerabilities in Apache libraries, offering new insights into vulnerability lifecycle and recurrence patterns.

Findings

Identified most persistent CWEs in Apache libraries.

Measured average time from CVE introduction to disclosure.

Analyzed remediation timelines and recurrence patterns.

Abstract

The Apache Software Foundation (ASF) ecosystem underpins a vast portion of modern software infrastructure, powering widely used components such as Log4j, Tomcat, and Struts. However, the ubiquity of these libraries has made them prime targets for high-impact security vulnerabilities, as illustrated by incidents like Log4Shell. Despite their widespread adoption, Apache projects are not immune to recurring and severe security weaknesses. We conduct a historical analysis of the Apache ecosystem to follow the "breadcrumb trail of vulnerabilities" by compiling a comprehensive dataset of Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumerations (CWEs). We examine trends in exploit recurrence, disclosure timelines, and remediation practices. Our analysis is guided by four key research questions: (1) What are the most persistent and repeated CWEs in Apache libraries? (2) How long do CVEs persist before being addressed? (3) What is the delay between CVE introduction and official disclosure? and (4) How long after disclosure are CVEs remediated? We present a detailed timeline of vulnerability lifecycle stages across Apache libraries and offer insights to improve secure coding practices, vulnerability monitoring, and remediation strategies. Our contributions include a curated dataset covering 24,285 Apache libraries, 1,285 CVEs, and 157 CWEs, along with empirical findings and developer-focused recommendations.