On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Amir M. Mir; Mehdi Keshani; Sebastian  Proksch

doi:10.1109/SANER56733.2023.00028

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Amir M. Mir^*, Mehdi Keshani, Sebastian Proksch

^*Corresponding author for this work

Software Engineering

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

1 Citation (Scopus)

26 Downloads (Pure)

Abstract

Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an application and its users at risk. Unfortunately, research on software ecosystems has shown that the number of projects that are affected by such vulnerabilities is rising. Previous investigations usually reason about dependencies on the dependency level, but we believe that this highly inflates the actual number of affected projects. In this work, we study the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In our research methodology, we gather a large dataset of 3M recent Maven packages. We obtain the full transitive set of dependencies for this dataset, construct whole-program call graphs, and perform reachability analysis. This approach allows us to identify Maven packages that are actually affected by using vulnerable dependencies. Our empirical results show that: (1) about 1/3 of packages in our dataset are identified as vulnerable if and only if all the transitive dependencies are considered. (2) less than 1% of packages have a reachable call path to vulnerable code in their dependencies, which is far lower than that of a naive dependency-based analysis. (3) limiting the depth of the resolved dependency tree might be a useful technique to reduce computation time for expensive fine-grained (vulnerability) analysis. We discuss the implications of our work and provide actionable insights for researchers and practitioners.

Original language	English
Title of host publication	Proceedings of the 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)
Editors	Cristina Ceballos
Place of Publication	Piscataway
Publisher	IEEE
Pages	201-211
Number of pages	11
ISBN (Electronic)	978-1-6654-5278-6
ISBN (Print)	978-1-6654-5279-3
DOIs	https://doi.org/10.1109/SANER56733.2023.00028
Publication status	Published - 2023
Event	2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) - Taipa, Macao Duration: 21 Mar 2023 → 24 Mar 2023

Conference

Conference	2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)
Country/Territory	Macao
City	Taipa
Period	21/03/23 → 24/03/23

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

software vulnerabilities
Maven
fine-grained analysis
software ecosystem

Access to Document

10.1109/SANER56733.2023.00028

On_the_Effect_of_Transitivity_and_Granularity_on_Vulnerability_Propagation_in_the_Maven_EcosystemFinal published version, 1.41 MB

Cite this

@inproceedings{600fd3dc906948e68911f4cd2253e714,

title = "On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem",

abstract = "Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an application and its users at risk. Unfortunately, research on software ecosystems has shown that the number of projects that are affected by such vulnerabilities is rising. Previous investigations usually reason about dependencies on the dependency level, but we believe that this highly inflates the actual number of affected projects. In this work, we study the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In our research methodology, we gather a large dataset of 3M recent Maven packages. We obtain the full transitive set of dependencies for this dataset, construct whole-program call graphs, and perform reachability analysis. This approach allows us to identify Maven packages that are actually affected by using vulnerable dependencies. Our empirical results show that: (1) about 1/3 of packages in our dataset are identified as vulnerable if and only if all the transitive dependencies are considered. (2) less than 1% of packages have a reachable call path to vulnerable code in their dependencies, which is far lower than that of a naive dependency-based analysis. (3) limiting the depth of the resolved dependency tree might be a useful technique to reduce computation time for expensive fine-grained (vulnerability) analysis. We discuss the implications of our work and provide actionable insights for researchers and practitioners.",

keywords = "software vulnerabilities, Maven, fine-grained analysis, software ecosystem",

author = "Mir, {Amir M.} and Mehdi Keshani and Sebastian Proksch",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.; 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) ; Conference date: 21-03-2023 Through 24-03-2023",

year = "2023",

doi = "10.1109/SANER56733.2023.00028",

language = "English",

isbn = "978-1-6654-5279-3",

pages = "201--211",

editor = "Ceballos, {Cristina }",

booktitle = "Proceedings of the 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)",

publisher = "IEEE",

address = "United States",

}

Mir, AM , Keshani, M & Proksch, S 2023, On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem. in C Ceballos (ed.), Proceedings of the 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, Piscataway, pp. 201-211, 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Taipa, Macao, 21/03/23. https://doi.org/10.1109/SANER56733.2023.00028

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem. / Mir, Amir M.; Keshani, Mehdi ; Proksch, Sebastian .
Proceedings of the 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). ed. / Cristina Ceballos. Piscataway: IEEE, 2023. p. 201-211.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

AU - Mir, Amir M.

AU - Keshani, Mehdi

AU - Proksch, Sebastian

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2023

Y1 - 2023

N2 - Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an application and its users at risk. Unfortunately, research on software ecosystems has shown that the number of projects that are affected by such vulnerabilities is rising. Previous investigations usually reason about dependencies on the dependency level, but we believe that this highly inflates the actual number of affected projects. In this work, we study the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In our research methodology, we gather a large dataset of 3M recent Maven packages. We obtain the full transitive set of dependencies for this dataset, construct whole-program call graphs, and perform reachability analysis. This approach allows us to identify Maven packages that are actually affected by using vulnerable dependencies. Our empirical results show that: (1) about 1/3 of packages in our dataset are identified as vulnerable if and only if all the transitive dependencies are considered. (2) less than 1% of packages have a reachable call path to vulnerable code in their dependencies, which is far lower than that of a naive dependency-based analysis. (3) limiting the depth of the resolved dependency tree might be a useful technique to reduce computation time for expensive fine-grained (vulnerability) analysis. We discuss the implications of our work and provide actionable insights for researchers and practitioners.

AB - Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an application and its users at risk. Unfortunately, research on software ecosystems has shown that the number of projects that are affected by such vulnerabilities is rising. Previous investigations usually reason about dependencies on the dependency level, but we believe that this highly inflates the actual number of affected projects. In this work, we study the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In our research methodology, we gather a large dataset of 3M recent Maven packages. We obtain the full transitive set of dependencies for this dataset, construct whole-program call graphs, and perform reachability analysis. This approach allows us to identify Maven packages that are actually affected by using vulnerable dependencies. Our empirical results show that: (1) about 1/3 of packages in our dataset are identified as vulnerable if and only if all the transitive dependencies are considered. (2) less than 1% of packages have a reachable call path to vulnerable code in their dependencies, which is far lower than that of a naive dependency-based analysis. (3) limiting the depth of the resolved dependency tree might be a useful technique to reduce computation time for expensive fine-grained (vulnerability) analysis. We discuss the implications of our work and provide actionable insights for researchers and practitioners.

KW - software vulnerabilities

KW - Maven

KW - fine-grained analysis

KW - software ecosystem

UR - http://www.scopus.com/inward/record.url?scp=85160509941&partnerID=8YFLogxK

U2 - 10.1109/SANER56733.2023.00028

DO - 10.1109/SANER56733.2023.00028

M3 - Conference contribution

SN - 978-1-6654-5279-3

SP - 201

EP - 211

BT - Proceedings of the 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

A2 - Ceballos, Cristina

PB - IEEE

CY - Piscataway

T2 - 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

Y2 - 21 March 2023 through 24 March 2023

ER -

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem

Abstract

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this