Litcius/Paper detail

Demystifying the vulnerability propagation and its evolution via dependency trees in the NPM ecosystem

Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, Xin Peng

2022Proceedings of the 44th International Conference on Software Engineering98 citationsDOIOpen Access PDF

Abstract

Third-party libraries with rich functionalities facilitate the fast development of JavaScript software, leading to the explosive growth of the NPM ecosystem. However, it also brings new security threats that vulnerabilities could be introduced through dependencies from third-party libraries. In particular, the threats could be excessively amplified by transitive dependencies. Existing research only considers direct dependencies or reasoning transitive dependencies based on reachability analysis, which neglects the NPM-specific dependency resolution rules as adapted during real installation, resulting in wrongly resolved dependencies. Consequently, further fine-grained analysis, such as precise vulnerability propagation and their evolution over time in dependencies, cannot be carried out precisely at a large scale, as well as deriving ecosystem-wide solutions for vulnerabilities in dependencies.

Topics & Concepts

Dependency (UML)Computer scienceReachabilityVulnerability (computing)Transitive relationJavaScriptExplosive materialDependency theory (database theory)Theoretical computer scienceDependency graphSoftwareDistributed computingFunctional dependencyData miningComputer securitySoftware engineeringRelational databaseProgramming languageGeographyMathematicsCombinatoricsArchaeologySoftware Engineering ResearchScientific Computing and Data ManagementSecurity and Verification in Computing