Print Email Facebook Twitter On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem Title On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem Author Mir, S.A.M. (TU Delft Software Engineering) Keshani, M. (TU Delft Software Engineering) Proksch, S. (TU Delft Software Engineering) Contributor Ceballos, Cristina (editor) Date 2023 Abstract Reusing software libraries is a pillar of modern software engineering. In 2022, the average Java application depends on 40 third-party libraries. Relying on such libraries exposes a project to potential vulnerabilities and may put an application and its users at risk. Unfortunately, research on software ecosystems has shown that the number of projects that are affected by such vulnerabilities is rising. Previous investigations usually reason about dependencies on the dependency level, but we believe that this highly inflates the actual number of affected projects. In this work, we study the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In our research methodology, we gather a large dataset of 3M recent Maven packages. We obtain the full transitive set of dependencies for this dataset, construct whole-program call graphs, and perform reachability analysis. This approach allows us to identify Maven packages that are actually affected by using vulnerable dependencies. Our empirical results show that: (1) about 1/3 of packages in our dataset are identified as vulnerable if and only if all the transitive dependencies are considered. (2) less than 1% of packages have a reachable call path to vulnerable code in their dependencies, which is far lower than that of a naive dependency-based analysis. (3) limiting the depth of the resolved dependency tree might be a useful technique to reduce computation time for expensive fine-grained (vulnerability) analysis. We discuss the implications of our work and provide actionable insights for researchers and practitioners. Subject software vulnerabilitiesMavenfine-grained analysissoftware ecosystem To reference this document use: http://resolver.tudelft.nl/uuid:600fd3dc-9069-48e6-8911-f4cd2253e714 DOI https://doi.org/10.1109/SANER56733.2023.00028 Publisher IEEE, Piscataway Embargo date 2023-11-15 ISBN 978-1-6654-5279-3 Source Proceedings of the 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) Event 2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), 2023-03-21 → 2023-03-24, Taipa, Macao Bibliographical note Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public. Part of collection Institutional Repository Document type conference paper Rights © 2023 S.A.M. Mir, M. Keshani, S. Proksch Files PDF On_the_Effect_of_Transiti ... system.pdf 1.48 MB Close viewer /islandora/object/uuid:600fd3dc-9069-48e6-8911-f4cd2253e714/datastream/OBJ/view