Out of Sight, Still at Risk: The Lifecycle of Transitive Vulnerabilities in Maven
By: Piotr Przymus , Mikołaj Fejzer , Jakub Narębski and more
Potential Business Impact:
Finds hidden computer program dangers faster.
The modern software development landscape heavily relies on transitive dependencies. They enable seamless integration of third-party libraries. However, they also introduce security challenges. Transitive vulnerabilities that arise from indirect dependencies expose projects to risks associated with Common Vulnerabilities and Exposures (CVEs). It happens even when direct dependencies remain secure. This paper examines the lifecycle of transitive vulnerabilities in the Maven ecosystem. We employ survival analysis to measure the time projects remain exposed after a CVE is introduced. Using a large dataset of Maven projects, we identify factors that influence the resolution of these vulnerabilities. Our findings offer practical advice on improving dependency management.
Similar Papers
The Ripple Effect of Vulnerabilities in Maven Central: Prevalence, Propagation, and Mitigation Challenges
Software Engineering
Fixes hidden computer code problems in apps.
The Secret Life of CVEs
Cryptography and Security
Finds ways to fix computer security problems faster.
Tracing Vulnerability Propagation Across Open Source Software Ecosystems
Software Engineering
Finds how software problems spread through many projects.