A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software

TL;DR

This study analyzes the prevalence and persistence of vulnerabilities in open-source dependencies across multiple languages, revealing that most vulnerabilities are transitive and often remain unpatched for over a year.

Contribution

It provides a large-scale, multi-language analysis of dependency vulnerabilities using a novel SCA-based approach over a decade of project data.

Findings

Vulnerable dependencies are mostly transitive across languages.

Critical vulnerabilities persist for over a year before fixing.

The dataset covers over 1,000 projects and 50,000 releases.

Abstract

Open-source libraries are widely used by software developers to speed up the development of products, however, they can introduce security vulnerabilities, leading to incidents like Log4Shell. With the expanding usage of open-source libraries, it becomes even more imperative to comprehend and address these dependency vulnerabilities. The use of Software Composition Analysis (SCA) tools does greatly help here as they provide a deep insight on what dependencies are used in a project, enhancing the security and integrity in the software supply chain. In order to learn how wide spread vulnerabilities are and how quickly they are being fixed, we conducted a study on over 1k open-source software projects with about 50k releases comprising several languages such as Java, Python, Rust, Go, Ruby, PHP, and JavaScript. Our objective is to investigate the severity, persistence, and distribution of these vulnerabilities, as well as their correlation with project metrics such as team and contributors size, activity and release cycles. In order to perform such analysis, we crawled over 1k projects from github including their version history ranging from 2013 to 2023 using VODA, our SCA tool. Using our approach, we can provide information such as library versions, dependency depth, and known vulnerabilities, and how they evolved over the software development cycle. Being larger and more diverse than datasets used in earlier works and studies, ours provides better insights and generalizability of the gained results. The data collected answers several research questions about the dependency depth and the average time a vulnerability persists. Among other findings, we observed that for most programming languages, vulnerable dependencies are transitive, and a critical vulnerability persists in average for over a year before being fixed.