nach oben

Empirical Software Engineering

Erschienen in:

01.06.2023

Empirical analysis of security vulnerabilities in Python packages

verfasst von: Mahmoud Alfadel, Diego Elias Costa, Emad Shihab

Erschienen in: Empirical Software Engineering | Ausgabe 3/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Software ecosystems play an important role in modern software development, providing an open platform of reusable packages that speed up and facilitate development tasks. However, this level of code reusability supported by software ecosystems also makes the discovery of security vulnerabilities much more difficult, as software systems depend on an increasingly high number of packages. Recently, security vulnerabilities in the npm ecosystem, the ecosystem of Node.js packages, have been studied in the literature. As different software ecosystems embody different programming languages and particularities, we argue that it is also important to study other popular programming languages to build stronger empirical evidence about vulnerabilities in software ecosystems. In this paper, we present an empirical study of 1,396 vulnerability reports affecting 698 Python packages in the Python ecosystem (PyPi). In particular, we study the propagation and life span of security vulnerabilities, accounting for how long they take to be discovered and fixed. In addition, vulnerabilities in packages may affect software projects that depend on them (dependent projects), making them vulnerable too. We study a set of 2,224 GitHub Python projects, to better understand the prevalence of vulnerabilities in their dependencies and how fast it takes to update them. Our findings show that the discovered vulnerabilities in Python packages are increasing over time, and they take more than 3 years to be discovered. A large portion of these vulnerabilities (40.86%) are only fixed after being publicly announced, giving ample time for attackers exploitation. Moreover, we find that more than half of the dependent projects rely on at least one vulnerable package, taking a considerably long time (7 months) to update to a non-vulnerable version. We find similarities in some characteristics of vulnerabilities in PyPi and npm and divergences that can be attributed to specific PyPi policies. By leveraging our findings, we provide a series of implications that can help the security of software ecosystems by improving the process of discovering, fixing and managing package vulnerabilities.

Vorheriger Artikel Visualising data science workflows to support third-party notebook comprehension: an empirical study

Nächster Artikel Towards a change taxonomy for machine learning pipelines

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Aalen O, Borgan O, Gjessing H (2008) Survival and event history analysis: a process point of view. Springer Science & Business Media, BerlinCrossRefMATH

Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? an empirical case study on npm. In: Proceedings of the 2017 11th joint meeting on foundations of software engineering, pp 385–395

Abdalkareem R, Oda V, Mujahid S, Shihab E (2020) On the impact of using trivial packages: an empirical case study on npm and PyPI. Empir Softw Eng 25(2):1168–1204CrossRef

Alfadel M, Costa DE, Shihab E (2020) Dataset: Empirical analysis of security vulnerabilities in Python packages — zenodo. https://zenodo.org/record/4158611. Accessed 29 Oct 2020

Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in python packages. In: 2021 IEEE international conference on software analysis, evolution and reengineering (SANER). IEEE, pp 446–457

Alfadel M, Costa DE, Shihab E, Mkhallalati M (2021) On the use of dependabot security pull requests. In: 2021 IEEE/ACM 18th international conference on mining software repositories (MSR). IEEE, pp 254–265

Allodi L, Massacci F (2014) Comparing vulnerability severity and exploits using case-control studies. ACM Trans Inf Syst Secur (TISSEC) 17(1):1–20CrossRef

Bewick V, Cheek L, Ball J (2004) Statistics review 12: survival analysis. Crit Care 8(5)

Bisht P, Heim M, Ifland M, Scovetta M, Skinner T (2017) Managing security risks inherent in the use of third-party components. (2017). executive information systems, Inc., White Paper No Eleven

Bogart C, Kästner C, Herbsleb J (2015) When it breaks, it breaks: How ecosystem developers reason about the stability of dependencies. In: 2015 30th IEEE/ACM international conference on automated software engineering workshop (ASEW), pp 86–89

Bogart C, Kästner C, Herbsleb J, Thung F (2016) How to break an API: cost negotiation and community values in three software ecosystems. In: Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering. ACM, pp 109–120

Borges H, Valente MT (2018) What’s in a Github star? understanding repository starring practices in a social coding platform. J Syst Softw 146:112–129CrossRef

Camilo F, Meneely A, Nagappan M (2015) Do bugs foreshadow vulnerabilities?: a study of the chromium project. In: Proceedings of the 12th working conference on mining software repositories. IEEE Press, pp 269–279

Chinthanet B, Kula RG, McIntosh S, Ishio T, Ihara A, Matsumoto K (2019) Lags in the release, adoption, and propagation of npm vulnerability fixes. Empirical Software Engineering

Chinthanet B, Kula RG, McIntosh S, Ishio T, Ihara A, Matsumoto K (2021) Lags in the release, adoption, and propagation of npm vulnerability fixes. Empir Softw Eng 26(3):1–28CrossRef

Chowdhury MAR, Abdalkareem R, Shihab E, Adams B (2021) On the untriviality of trivial packages: An empirical study of npm javascript packages. IEEE Trans Softw Eng

Constantinou E, Mens T (2017) An empirical comparison of developer retention in the rubygems and npm software ecosystems. Innov Syst Softw Eng 13 (2):101–115CrossRef

Cox J, Bouwers E, van Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE/ACM 37th IEEE international conference on software engineering (ICSE), vol 2. IEEE, pp 109–118

cwe.mitre (2020) Cwe - cwe-416: Use after free (3.3). https://cwe.mitre.org/data/definitions/416.html. Accessed 10 Oct 2020

Dabic O, Aghajani E, Bavota G (2021) Sampling projects in Github for MSR studies. In: 2021 IEEE/ACM 18th international conference on mining software repositories (MSR). IEEE, pp 560–564

Decan A, Mens T (2019) What do package dependencies tell us about semantic versioning? IEEE Trans Softw Eng

Decan A, Mens T, Claes M (2016) On the topology of package dependency networks: A comparison of three programming language ecosystems. In: Proccedings of the 10th european conference on software architecture workshops, pp 1–4

Decan A, Mens T, Claes M (2017) An empirical comparison of dependency issues in OSS packaging ecosystems. In: 2017 IEEE 24th international conference on software analysis, evolution and reengineering (SANER). IEEE, pp 2–12

Decan A, Mens T, Constantinou E (2018a) On the impact of security vulnerabilities in the npm package dependency network. In: 2018 IEEE/ACM 15th international conference on mining software repositories (MSR). IEEE, pp 181–191

Decan A, Mens T, Constantinou E (2018b) On the evolution of technical lag in the npm package dependency network. In: 2018 IEEE international conference on software maintenance and evolution (ICSME). IEEE, pp 404–414

Decan A, Mens T, Grosjean P (2019) An empirical comparison of dependency network evolution in seven software packaging ecosystems. Empir Softw Eng 24(1):381–416CrossRef

Dependabot (2020) https://github.com/dependabot. Accessed 28 Oct 2020

Dephealth (2021) Home. http://104.237.154.205:8443/?fbclid=IwAR3qdZPNXISqK7VkPNXYQaEhtdxKR8nBEbmqGJI7Z-nHw9f6_oSNAjLc_dI. Accessed 2021

Derr E, Bugiel S, Fahl S, Acar Y, Backes M (2017) Keep me updated: An empirical study of third-party library updatability on android. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, pp 2187–2200

Di Penta M, Cerulo L, Aversano L (2009) The life and death of statically detected vulnerabilities: An empirical study. Inf Softw Technol 51(10):1469–1484CrossRef

Durumeric Z, Li F, Kasten J, Amann J, Beekman J, Payer M, Weaver N, Adrian D, Paxson V, Bailey M et al (2014) The matter of heartbleed. In: Proceedings of the 2014 conference on internet measurement conference, pp 475–488

Fard AM, Mesbah A (2017) Javascript: The (un) covered parts. In: 2017 IEEE international conference on software testing, verification and validation (ICST). IEEE, pp 230–240

Github (2022) Transparency report: January to June — the Github blog. https://github.blog/2022-08-16-2022-transparency-report-january-to-june/. Accessed 31 Oct 2022

Godefroid P, Levin MY, Molnar D (2012) SAGE: whitebox fuzzing for security testing. Commun ACM 55(3):40–44CrossRef

Google (2020) Android – google play protect. https://www.android.com/intl/en_ca/play-protect/. Accessed 27 Oct 2020

Hejderup J (2015) In dependencies we trust: How vulnerable are dependencies in software modules?

Hejderup J, van Deursen A, Gousios G (2018) Software ecosystem call graph for dependency management. In: 2018 IEEE/ACM 40th international conference on software engineering: new ideas and emerging technologies results (ICSE-NIER). IEEE, pp 101–104

ISC (2020) Internet systems consortium. https://www.isc.org/#. Accessed 10 Oct 2020

Johari R, Sharma P (2012) A survey on web application vulnerabilities (SQLIA, XSS) exploitation and security engine for SQL injection. In: 2012 international conference on communication systems and network technologies. IEEE, pp 453–458

Kalliamvakou E, Gousios G, Blincoe K, Singer L, German DM, Damian D (2014) The promises and perils of mining Github. In: Proceedings of the 11th working conference on mining software repositories, MSR ’14. ACM, pp 92–101

Kaplan EL, Meier P (1958) Nonparametric estimation from incomplete observations. J Am Stat Assoc 53(282):457–481MathSciNetCrossRefMATH

Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empir Softw Eng 23(1):384–417CrossRef

Larios-Vargas E, Aniche M, Treude C, Bruntink M, Gousios G (2020) Selecting third-party libraries: The practitioners’ perspective. arXiv:2005.12574

Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. ACM, pp 2201–2215

Libraries.io (2021) Libraries - the open source discovery service. Accessed 10 Jan 2021

Lodash (2020) lodash - npm. https://www.npmjs.com/package/lodash. Accessed 10 Oct 2020

Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) CHEX: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp 229–240

MITRE (2020) Cwe. https://cwe.mitre.org/about/index.html. Accessed 10 Oct 2020

Massacci F, Neuhaus S, Nguyen VH (2011) After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes. In: International symposium on engineering secure software and systems. Springer, pp 195–208

Metha N (2022) Heartbleed and shellshock: The new norm in vulnerabilities. https://securityintelligence.com/heartbleed-and-shellshock-the-new-norm-in-vulnerabilities/. Accessed 31 Oct 2022

Mezzetti G, Møller A, Torp MT (2018) Type regression testing to detect breaking changes in node. js libraries. In: 32nd european conference on object-oriented programming (ECOOP 2018), Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik

NPM (2020a) Reporting a vulnerability in an npm package — npm documentation. https://docs.npmjs.com/reporting-a-vulnerability-in-an-npm-package. Accessed 10 Oct 2020

NPM (2020b) Auditing package dependencies for security vulnerabilities — npm documentation. https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities. Accessed 10 Oct 2020

Nesbitt A, Nickolls B (2018) Libraries.io open source repository and dependency metadata. v1.2.0. https://doi.org/10.5281/zenodo.808273. Accessed 10 Oct 2020

Neuhaus S, Zimmermann T (2009) The beauty and the beast: Vulnerabilities in red hat’s packages. In: USENIX annual technical conference

OWASP (2019) Owasp. https://www.owasp.org/index.php/Main_Page, Accessed 10 Oct 2020

Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F (2018) Vulnerable open source dependencies: Counting those that matter. In: Proceedings of the 12th ACM/IEEE international symposium on empirical software engineering and measurement, pp 1–10

Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F (2020) Vuln4Real: A methodology for counting actually vulnerable dependencies. IEEE Trans Softw Eng

Pashchenko I, Vu D-L, Massacci F (2020) A qualitative study of dependency management and its security implications. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 1513–1531

Pashchenko I, Vu D-L, Massacci F (2020) A qualitative study of dependency management and its security implications. Proc of CCS’20

Pham NH, Nguyen TT, Nguyen HA, Nguyen TN (2010) Detection of recurring software vulnerabilities. In: Proceedings of the IEEE/ACM international conference on Automated software engineering. ACM, pp 447–456

Pillow (2020) Pillow ⋅ pypi. https://pypi.org/project/Pillow/. Accessed 10 Oct 2020

Ponta SE, Plate H, Sabetta A (2018) Beyond metadata: Code-centric and usage-based analysis of known vulnerabilities in open-source software. In: 2018 IEEE international conference on software maintenance and evolution (ICSME). IEEE, pp 449–460

Ponta SE, Plate H, Sabetta A (2020) Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empir Softw Eng 25 (5):3175–3215CrossRef

Prana GAA, Sharma A, Shar LK, Foo D, Santosa AE, Sharma A, Lo D (2021) Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empir Softw Eng 26(4):1–34CrossRef

PyPi (2018) Security ⋅ pypi. https://pypi.org/security/. Accessed 10 Oct 2020

Python (2020) Issue 27863: multiple issues in _elementtree module - python tracker. https://bugs.python.org/issue27863. Accessed 10 Oct 2020

Ruohonen J (2018) An empirical analysis of vulnerabilities in python packages for web applications. In: 2018 9th international workshop on empirical software engineering in practice (IWESEP). IEEE, pp 25–30

Sabottke C, Suciu O, Dumitraş T (2015) Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits. In: 24th {USENIX} security symposium ({USENIX} security 15), pp 1041–1056

Semver (2020) semver ⋅ pypi. https://pypi.org/project/semver/. Accessed 10 Oct 2020

Snyk (2020a) Vulnerability db — Snyk. https://snyk.io/vuln. Accessed 10 Oct 2020

Snyk (2020b) Scoring security vulnerabilities 101: Introducing cvss for cves — snyk. https://snyk.io/blog/scoring-security-vulnerabilities-101-introducing-cvss-for-cve/. Accessed 10 Oct 2020

Snyk (2020c) How Snyk finds out about new vulnerabilities – knowledge center — snyk. https://support.snyk.io/hc/en-us/articles/360003923877-How-Snyk-finds-out-about-new-vulnerabilities. Accessed 24 Oct 2020

Snyk.io (2017) The state of open-source security. https://snyk.io/

StackOverflow (2020) Stack overflow developer survey. https://insights.stackoverflow.com/survey/2020#technology-programming-scripting-and-markup-languages-all-respondents. Accessed 10 Jan 2021

Staicu C-A, Pradel M, Livshits B (2016) Understanding and automatically preventing injection attacks on node. js, tech. rep., Tech. Rep. TUD-CS-2016-14663, TU Darmstadt, Department of Computer Science

Thomé J, Shar LK, Bianculli D, Briand L (2018) Security slicing for auditing common injection vulnerabilities. J Syst Softw 137:766–783CrossRef

Thompson HH (2003) Why security testing is hard. IEEE Secur Priv 1(4):83–86CrossRef

Vu D-L, Pashchenko I, Massacci F, Plate H, Sabetta A (2020) Typosquatting and combosquatting attacks on the python ecosystem. In: 2020 IEEE european symposium on security and privacy workshops (EuroS&PW). IEEE, pp 509–514

Vu D-L, Pashchenko I, Massacci F, Plate H, Sabetta A (2020) Poster: Towards using source code repositories to identify software supply chain attacks. In: CCS ’20

Walden J (2020) The impact of a major security event on an open source project: The case of OpenSSL. In: Proceedings of the 17th international conference on mining software repositories, pp 409–419

Wang Y, Chen B, Huang K, Shi B, Xu C, Peng X, Wu Y, Liu Y (2020) An empirical study of usages, updates and risks of third-party libraries in java projects. In: 2020 IEEE international conference on software maintenance and evolution (ICSME). IEEE, pp 35–45

Williams J, Dabirsiaghi A (2012) The unfortunate reality of insecure libraries. Asp. Secur. Inc, 1–26

Wittern E, Suter P, Rajagopalan S (2016) A look at the dynamics of the javascript package ecosystem. In: 2016 IEEE/ACM 13th working conference on mining software repositories (MSR). IEEE, pp 351–361

Zapata RE, Kula RG, Chinthanet B, Ishio T, Matsumoto K, Ihara A (2018) Towards smoother library migrations: A look at vulnerable dependency migrations at function level for npm javascript packages. In: 2018 IEEE international conference on software maintenance and evolution (ICSME). IEEE, pp 559–563

Zerouali A, Cosentino V, Mens T, Robles G, Gonzalez-Barahona JM (2019) On the impact of outdated and vulnerable javascript packages in docker images. In: 2019 IEEE 26th international conference on software analysis, evolution and reengineering (SANER). IEEE, pp 619–623

Zerouali A, Mens T, Decan A, De Roover C (2022) On the impact of security vulnerabilities in the npm and rubygems dependency networks. Empir Softw Eng 27(5):1–45CrossRef

Zerouali A, Mens T, Robles G, Gonzalez-Barahona JM (2019) On the relation between outdated docker coxntainers, severity vulnerabilities, and bugs. In: 2019 IEEE 26th international conference on software analysis, evolution and reengineering (SANER). IEEE, pp 491–501

Zimmermann M, Staicu C-A, Tenny C, Pradel M (2019) Small world with high risks: A study of security threats in the npm ecosystem. In: 28th USENIX security symposium (USENIX security 19), pp 995–1010

Titel: Empirical analysis of security vulnerabilities in Python packages
verfasst von: Mahmoud Alfadel
Diego Elias Costa
Emad Shihab
Publikationsdatum: 01.06.2023
Verlag: Springer US
Erschienen in: Empirical Software Engineering / Ausgabe 3/2023
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI: https://doi.org/10.1007/s10664-022-10278-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 3/2023

Visualising data science workflows to support third-party notebook comprehension: an empirical study

Software testing in the machine learning era

Machine learning-based test selection for simulation-based testing of self-driving cars software

Integrating human values in software development using a human values dashboard

Does the first response matter for future contributions? A study of first contributions

Empirically evaluating flaky test detection techniques combining test case rerunning and machine learning models

Premium Partner