Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem
Thu 12 May 2022 20:30 - 20:35 at ICSE room 2-even hours - Program Comprehension 4 Chair(s): Fabio Petrillo
Third-party libraries with rich functionalities facilitate the fast development of JavaScript software, leading to the explosive growth of the NPM ecosystem. However, it also brings new security threats that vulnerabilities could be introduced through dependencies from third-party libraries. In particular, the threats could be excessively amplified by transitive dependencies. Existing research only considers direct dependencies or reasoning transitive dependencies based on reachability analysis, which neglects {the NPM-specific dependency resolution rules as adapted during real installation, resulting in wrongly resolved dependencies. Consequently, further fine-grained analysis, such as precise vulnerability propagation and their evolution over time in dependencies, cannot be carried out precisely at a large scale, as well as deriving ecosystem-wide solutions for vulnerabilities in dependencies.
To fill this gap, we propose a knowledge graph-based dependency resolution, which resolves the inner dependency relations of dependencies as trees (i.e., dependency trees), and investigates the security threats from vulnerabilities in dependency trees at a large scale. Specifically, we first construct a complete dependency-vulnerability knowledge graph (DVGraph) that captures the whole NPM ecosystem (over 10 million library versions and 60 million well-resolved dependency relations). Based on it, we propose a novel algorithm (DTResolver) to statically and precisely resolve dependency trees, as well as transitive vulnerability propagation paths, for each package by taking the official dependency resolution rules into account. Based on that, we carry out an ecosystem-wide empirical study on vulnerability propagation and its evolution in dependency trees. Our study unveils lots of useful findings, and we further discuss the lessons learned and solutions for different stakeholders to mitigate the vulnerability impact in NPM based on our findings. For example, we implement a dependency tree based vulnerability remediation method (DTReme) for NPM packages, and receive much better performance than the official tool (npm audit fix).
Wed 11 MayDisplayed time zone: Eastern Time (US & Canada) change
03:00 - 04:00 | Software Ecosystems 1Technical Track / Journal-First Papers at ICSE room 2-odd hours Chair(s): Massimiliano Di Penta University of Sannio, Italy | ||
03:00 5mTalk | API-related Developer Information Needs in Stack Overflow Journal-First Papers Mingwei Liu Fudan University, Xin Peng Fudan University, Andrian Marcus University of Texas at Dallas, Shuangshuang Xing Fudan University, Christoph Treude University of Melbourne, Chengyuan Zhao Fudan University Link to publication DOI Pre-print Media Attached | ||
03:05 5mTalk | GitHub Discussions: An exploratory study of early adoption Journal-First Papers Hideaki Hata Shinshu University, Nicole Novielli University of Bari, Sebastian Baltes SAP SE & University of Adelaide, Raula Gaikovina Kula Nara Institute of Science and Technology, Christoph Treude University of Melbourne Link to publication DOI Pre-print Media Attached | ||
03:10 5mTalk | An Exploratory Study of Deep Learning Supply Chain Technical Track Xin Tan Beihang University, China, Kai Gao University of Science and Technology Beijing, Minghui Zhou Peking University, China, Li Zhang Beihang University Pre-print Media Attached | ||
03:15 5mTalk | Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem Technical Track Chengwei Liu Tianjin University and Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Bihuan Chen Fudan University, China, Yang Liu Nanyang Technological University, Xin Peng Fudan University Pre-print Media Attached | ||
Thu 12 MayDisplayed time zone: Eastern Time (US & Canada) change
20:00 - 21:00 | Program Comprehension 4Technical Track / SEET - Software Engineering Education and Training / Journal-First Papers at ICSE room 2-even hours Chair(s): Fabio Petrillo École de technologie supérieure (ÉTS), Montréal -- Université du Québec | ||
20:00 5mTalk | An Ensemble Approach for Annotating Source Code Identifiers with Part-of-speech Tags Journal-First Papers Christian D. Newman Rochester Institute of Technology, Michael J. Decker Bowling Green State University, Reem S. Alsuhaibani Kent State University, Anthony Peruma Rochester Institute of Technology, Mohamed Wiem Mkaouer Rochester Institute of Technology, Satyajit Mohapatra Rochester Institute of Technology, Tejal Vishnoi Rochester Institute of Technology, Marcos Zampieri Rochester Institute of Technology, Timothy Sheldon BNY Mellon, Emily Hill Drew University Link to publication DOI Pre-print Media Attached | ||
20:05 5mTalk | Why My Code Summarization Approach Does Not Work: Improving Code Summarization with Comment Category Prediction Journal-First Papers Qiuyuan Chen Zhejiang University, Xin Xia Huawei Software Engineering Application Technology Lab, Han Hu Faculty of Information Technology, Monash University, David Lo Singapore Management University, Shanping Li Zhejiang University Pre-print Media Attached | ||
20:10 5mTalk | Reading to Write Code: An Experience Report of a Reverse Engineering and Modeling Course SEET - Software Engineering Education and Training Brooke Kelsey Ryan University of California, Irvine, Adriana Meza Soria UC Irvine, Kaj Dreef University of California, Irvine, Andre van der Hoek University of California, Irvine DOI Pre-print Media Attached | ||
20:15 5mTalk | Pausing While Programming: Insights From Keystroke Analysis SEET - Software Engineering Education and Training Raj Shrestha Utah State University, Juho Leinonen Aalto University, Albina Zavgorodniaia Aalto University, Arto Hellas University of Helsinki;Finland, John Edwards Utah State University Pre-print Media Attached | ||
20:20 5mTalk | AST-Trans: Code Summarization with Efficient Tree-Structured Attention Technical Track Ze Tang Software Institute, Nanjing University, Xiaoyu Shen Alexa AI, Amazon, Chuanyi Li State Key Laboratory for Novel Software Technology, Nanjing University, Jidong Ge State Key Laboratory for Novel Software and Technology, Nanjing University, Liguo Huang Dept. of Computer Science, Southern Methodist University, Dallas, TX, 75205, Zheling Zhu State Key Laboratory for Novel Software and Technology, Nanjing University, 22 Hankou Road, Nanjing, China, Bin Luo Software Institute, Nanjing University Pre-print Media Attached | ||
20:25 5mTalk | SPT-Code: Sequence-to-Sequence Pre-Training for Learning Representation of Source Code Technical Track Changan Niu State Key Laboratory for Novel Software Technology, Nanjing University, Chuanyi Li State Key Laboratory for Novel Software Technology, Nanjing University, Vincent Ng Human Language Technology Research Institute, University of Texas at Dallas, Richardson, TX 75083-0688, Jidong Ge State Key Laboratory for Novel Software and Technology, Nanjing University, Liguo Huang Dept. of Computer Science, Southern Methodist University, Dallas, TX, 75205, Bin Luo Software Institute, Nanjing University Pre-print Media Attached | ||
20:30 5mTalk | Demystifying the Vulnerability Propagation and Its Evolution via Dependency Trees in the NPM Ecosystem Technical Track Chengwei Liu Tianjin University and Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Bihuan Chen Fudan University, China, Yang Liu Nanyang Technological University, Xin Peng Fudan University Pre-print Media Attached | ||