Lags in the release, adoption, and propagation of npm vulnerability fixes
Wed 11 May 2022 22:00 - 22:05 at ICSE room 2-even hours - Software Security 6 Chair(s): Travis Breaux
Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package patch landing). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate lags in an ecosystem.
Wed 11 MayDisplayed time zone: Eastern Time (US & Canada) change
03:00 - 04:00 | Software Security 2Journal-First Papers / Technical Track at ICSE room 3-odd hours Chair(s): Liliana Pasquale University College Dublin & Lero | ||
03:00 5mTalk | Lags in the release, adoption, and propagation of npm vulnerability fixes Journal-First Papers Bodin Chinthanet Nara Institute of Science and Technology, Raula Gaikovina Kula Nara Institute of Science and Technology, Shane McIntosh University of Waterloo, Takashi Ishio Nara Institute of Science and Technology, Akinori Ihara Wakayama University, Kenichi Matsumoto Nara Institute of Science and Technology Link to publication DOI Pre-print Media Attached | ||
03:05 5mTalk | The Case for Adaptive Security Interventions Journal-First Papers Irum Rauf The Open University, UK, Marian Petre The Open University, Thein Tun , Tamara Lopez The Open University, Paul Lunn The University of Manchester, UK, Dirk van der Linden Northumbria University, John Towse Department of Psychology, University of Lancaster, UK, Helen Sharp The Open University, Mark Levine Lancaster University, Awais Rashid University of Bristol, UK, Bashar Nuseibeh The Open University (UK) & Lero (Ireland) Link to publication DOI Pre-print Media Attached | ||
03:10 5mTalk | Out of Sight, Out of Mind? How Vulnerable Dependencies Affect Open-Source Projects Journal-First Papers Gede Artha Azriadi Prana Singapore Management University, Abhishek Sharma Veracode, Inc., Lwin Khin Shar Singapore Management University, Darius Foo National University of Singapore, Andrew Santosa Veracode, Inc., Asankhaya Sharma Veracode, Inc., David Lo Singapore Management University Pre-print Media Attached | ||
03:15 5mTalk | MVD: Memory-related Vulnerability Detection Based on Flow-Sensitive Graph Neural Networks Technical Track Sicong Cao Yangzhou University, Xiaobing Sun Yangzhou University, Lili Bo Yangzhou University, Rongxin Wu Xiamen University, Bin Li Yangzhou University, Chuanqi Tao Nanjing University of Aeronautics and Astronautics DOI Pre-print Media Attached | ||
03:20 5mTalk | VulCNN: An Image-inspired Scalable Vulnerability Detection System Technical Track Yueming Wu Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Shihan Dou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Duo Xu Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology DOI Pre-print Media Attached | ||
03:25 5mTalk | DeFault: Mutual Information-based Crash Triage for Massive Crashes Technical Track Xing Zhang National University of Defense Technology, Jiongyi Chen National University of Defense Technology, Chao Feng National University of Defense Technology, Ruilin Li National University of Defense Technolog, Wenrui Diao Shandong University, Kehuan Zhang The Chinese University of Hong Kong Pre-print Media Attached | ||
22:00 - 23:00 | Software Security 6Technical Track / Journal-First Papers at ICSE room 2-even hours Chair(s): Travis Breaux Carnegie Mellon University | ||
22:00 5mTalk | Lags in the release, adoption, and propagation of npm vulnerability fixes Journal-First Papers Bodin Chinthanet Nara Institute of Science and Technology, Raula Gaikovina Kula Nara Institute of Science and Technology, Shane McIntosh University of Waterloo, Takashi Ishio Nara Institute of Science and Technology, Akinori Ihara Wakayama University, Kenichi Matsumoto Nara Institute of Science and Technology Link to publication DOI Pre-print Media Attached | ||
22:05 5mTalk | Aper: Evolution-Aware Runtime Permission Misuse Detection for Android Apps Technical Track Sinan Wang Southern University of Science and Technology, Yibo Wang Northeastern University, Xian Zhan The Hong Kong Polytechnic University, Ying Wang Northeastern University, China, Yepang Liu Southern University of Science and Technology, Xiapu Luo Hong Kong Polytechnic University, Shing-Chi Cheung Hong Kong University of Science and Technology DOI Pre-print Media Attached | ||
22:10 5mTalk | A Grounded Theory Based Approach to Characterize Software Attack Surfaces Technical Track sara moshtari Rochester Institute of Technology, Ahmet Okutan Rochester Institute of Technology, Mehdi Mirakhorli Rochester Institute of Technology Pre-print Media Attached | ||
22:15 5mTalk | The Extent of Orphan Vulnerabilities from Code Reuse in Open Source SoftwareNominated for Distinguished Paper Technical Track David Reid University of Tennessee, Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, Audris Mockus The University of Tennessee DOI Pre-print Media Attached | ||
22:20 5mTalk | MVD: Memory-related Vulnerability Detection Based on Flow-Sensitive Graph Neural Networks Technical Track Sicong Cao Yangzhou University, Xiaobing Sun Yangzhou University, Lili Bo Yangzhou University, Rongxin Wu Xiamen University, Bin Li Yangzhou University, Chuanqi Tao Nanjing University of Aeronautics and Astronautics DOI Pre-print Media Attached | ||
22:25 5mTalk | VulCNN: An Image-inspired Scalable Vulnerability Detection System Technical Track Yueming Wu Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Shihan Dou Huazhong University of Science and Technology, Wei Yang University of Texas at Dallas, Duo Xu Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology DOI Pre-print Media Attached | ||