Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem
Open-source software (OSS) greatly facilitates program development for developers. However, the high number of vulnerabilities in open-source software is a major concern, including in Golang, a relatively new programming language. In contrast to other commonly used OSS package managers, Golang presents a distinctive feature whereby commits are prevalently used as dependency versions prior to their integration into official releases. This attribute can prove advantageous to users, as patch commits can be implemented in a timely manner before the releases. However, Golang employs a decentralized mechanism for managing dependencies, whereby dependencies are upheld and distributed in separate repositories. This approach can result in delays in the dissemination of patches and unresolved vulnerabilities.
To tackle the aforementioned concern, a comprehensive investigation was undertaken to examine the life cycle of vulnerability in Golang, commencing from its introduction and culminating with its rectification. To this end, a framework was established by gathering data from diverse sources and systematically amalgamating them with an algorithm to compute the lags in vulnerability patching. It turned out that 66.10% of modules in the Golang ecosystem were affected by vulnerabilities. Within the vulnerability life cycle, we found two kinds of lag impeding the propagation of vulnerability fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities, timely releasing and indexing patch versions could significantly enhance ecosystem security.
Fri 19 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Analytics 5Research Track / Journal-first Papers at Amália Rodrigues Chair(s): Sridhar Chimalakonda Indian Institute of Technology, Tirupati | ||
14:00 15mTalk | An Exploratory Investigation of Log Anomalies in Unmanned Aerial Vehicles Research Track Dinghua Wang , Shuqing Li The Chinese University of Hong Kong, Guanping Xiao Nanjing University of Aeronautics and Astronautics, Yepang Liu Southern University of Science and Technology, Yulei Sui UNSW, Pinjia He Chinese University of Hong Kong, Shenzhen, Michael Lyu The Chinese University of Hong Kong | ||
14:15 15mTalk | ModuleGuard: Understanding and Detecting Module Conflicts in Python Ecosystem Research Track Ruofan Zhu Zhejiang University, Xingyu Wang Zhejiang University, Chengwei Liu Nanyang Technological University, Zhengzi Xu Nanyang Technological University, Wenbo Shen Zhejiang University, China, Rui Chang Zhejiang University, Yang Liu Nanyang Technological University | ||
14:30 15mTalk | Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem Research Track Jinchang Hu , Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Sen Yang Academy of Military Science, Song Huang Army Engineering University of PLA, Yang Liu Nanyang Technological University | ||
14:45 15mTalk | Fine-SE: Integrating Semantic Features and Expert Features for Software Effort Estimation Research Track Yue Li Nanjing University, Zhong Ren State Key Laboratory of Novel Software Technology, Software Institute, Nanjing University Nanjing, Jiangsu, China, Zhiqi Wang State Key Laboratory of Novel Software Technology, Software Institute, Nanjing University Nanjing, Jiangsu, China, Lanxin Yang Nanjing University, Liming Dong Nanjing University, He Zhang Nanjing University | ||
15:00 7mTalk | Concretization of Abstract Traffic Scene Specifications Using Metaheuristic Search Journal-first Papers Aren Babikian McGill University, Oszkár Semeráth Budapest University of Technology and Economics, Daniel Varro Linköping University / McGill University | ||
15:07 7mTalk | Technical leverage analysis in the Python ecosystem Journal-first Papers Ranindya Paramitha University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam | ||
15:14 7mTalk | Automated Mapping of Adaptive App GUIs from Phones to TVs Journal-first Papers Han Hu Faculty of Information Technology, Monash University, ruiqi dong Swinburne University of Technology, John Grundy Monash University, Thai Minh Nguyen Monash University, huaxiao liu Jilin University, Chunyang Chen Technical University of Munich (TUM) Link to publication DOI Pre-print | ||
15:21 7mTalk | Assessing the Early Bird Heuristic (for Predicting Project Quality) Journal-first Papers Link to publication DOI Pre-print |