Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem
This is the research artifact of the paper ‘Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem’. This paper aims to help readers better understand the vulnerability propagation and exploration in the Maven Ecosystem from the function level. We collect in total 832 CVEs, 1,078 patches, and 613 corresponding vulnerable upstream software, and we build the dependency graph of Maven to collect 29,952 downstream that depend on the vulnerable upstream. Because we analyze the vulnerability at the function level, we then extract vulnerable functions from the patches. Specifically, we use soot to build the CG (Call Graph) and the ICFG (Inter-procedure Control Flow Graph) for the collected Java programs. Then we analyze the features (e.g. length, constraint) of the call path from the downstream call site to the upstream vulnerable function to demonstrate to what extent the upstream vulnerabilities are used. This artifact provides all the data we collect and the analysis code (including function extraction and Java code analysis) in the paper. Therefore, we aim to apply the “Available” and “Reusable” badges for the artifact