EASE 2024
Tue 18 - Fri 21 June 2024 Salerno, Italy
Thu 20 Jun 2024 14:38 - 14:51 at Room Vietri - Security (1) Chair(s): Giuseppe Scanniello

Industrial applications heavily rely on open-source software (OSS) libraries, which provide various benefits. But, they can also present a substantial risk if a vulnerability or attack arises and the community fails to promptly address the issue and release a fix due to inactivity. To be able to monitor the activities of such communities, a comprehensive list of repositories for the libraries of an ecosystem must be accessible. Based on these repositories, integrated libraries of an application can be monitored to observe whether they are adequately maintained. In this descriptive study, we analyze the accessibility of GitHub repositories for PyPI and NPM libraries. For all available libraries, we extract assigned repository URLs, direct dependencies and use the page rank algorithm to comprehensively analyze the ecosystems from a library and dependency chain perspective. For invalid repository URLs, we derive potential reasons. Both ecosystems show varying accessibility to GitHub repository URLs, depending on the page rank score of the analyzed libraries. For individual libraries, up to 73.8% of PyPI and up to 69.4% of NPM libraries have repository URLs. Within dependency chains, up to 80.1% of PyPI libraries have URLs, while up to 81.1% for NPM. That means, most libraries, especially the ones of increasing importance, can be monitored on GitHub. Among the most common reasons for invalid repository URLs is no URLs being assigned at all, which amounts up to 17.9% for PyPI and up to 39.6% for NPM. Package maintainers should address this issue and update the repository information to enable monitoring of their libraries.

Thu 20 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:00 - 15:30
14:00
12m
Talk
Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications
Research Papers
Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
14:12
12m
Talk
An Extensive Comparison of Static Application Security Testing Tools
Research Papers
Matteo Esposito University of Rome Tor Vergata, Valentina Falaschi University of Rome Tor Vergata, Davide Falessi University of Rome Tor Vergata, Italy
Pre-print
14:25
12m
Talk
Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers
Industry
Therese Fehrer JADS, Tilburg University صs-Hertogenbosch, Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Dario Di Nucci University of Salerno, Damian Andrew Tamburri TU/e
14:38
12m
Talk
Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries
Short Papers, Vision and Emerging Results
DOI Pre-print
14:51
12m
Talk
Unveiling iOS Scamwares through Crowdturfing Reviews
Short Papers, Vision and Emerging Results
Zhipeng Xu Shanghai Jiao Tong University
15:04
12m
Talk
Mining REST APIs for Potential Mass Assignment Vulnerabilities
Short Papers, Vision and Emerging Results
Arash Mazidi , Davide Corradini University of Verona, Mohammad Ghafari TU Clausthal
15:17
12m
Talk
Negative Complement of a Set of Vulnerability-Fixing Commits: Method and Dataset
Industry
Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Tommaso Aiello SAP Security Research