Abstract
Pursuant to many open-source software (OSS) vulnerability incidents, various research institutes and firms have attempted to either identify the most commonly used OSS components, and examine for potential vulnerabilities and possible investments, or produce tools to detect OSS vulnerabilities by thorough inspection. Although these firms aim to identify vulnerabilities as many as possible, but produce too many alarms, and many false alarms. At the same time, one of the major assumptions in various importance and security studies is that packages keep same dependencies over time, i.e., all dependencies are calculated without considering version information, however this is a wrong assumption, for instance when the gem package “spruz” is scored highly risky, because it depended on previous versions of some popular packages, “json_pure”. Having included version dependency, “spruz” would not have scored high importance. Therefore, it is important to investigate package version vulnerability rather than project vulnerability, also discuss research questions as 1) what factors could lead to package vulnerability? Also knowing these factors, can one narrow down vulnerability search? For this purpose, we build a version dependency network combining various sources; on the other hand, we collect vulnerabilities from different repositories. We investigate the impact of network exposure and other exogenous and endogenous factors such as contributors count, open issues count, version age and number of forks on latest package version vulnerability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Paulson, J.W., Succi, G., Eberlein, A.: An empirical study of open-source and closed-sou software products search Abstract. Poista 30(4), 246–256 (2004)
Synopsis: Open-Source Security and Risk Analysis. Synopsys Center for Open-Source Research & Innovation (2018)
Schryen, G.: Security of open source and closed source software: An empirical comparison of published vulnerabilities. In: Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California (2009)
Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the Symposium and Bootcamp on the Science of Security (2015)
Hall, T., Beecham, S., Bowes, D., Gray, D., Counsell, S.: A systematic literature review on fault prediction performance in software engineering. IEEE Trans. Softw. Eng. 38(6), 1276–1304 (2011)
Wartschinski, L.: Detecting Software Vulnerabilities with Deep Learning. Humboldt-Universität zu Berlin Mathematisch-Naturwissenschaftliche Fakultät Institut für Informatik (2019)
Yu, Z., Theisen, C., Williams, L., Menzies, T.: Improving vulnerability inspection efficiency using active learning. IEEE Trans. Softw. Eng. (2019)
Zhou, Y., and Sharma, A.: Automated identification of security issues from commit messages and bug reports. In: Proceedings of the 11th Joint Meeting on Foundations of Software Engineering, pp. 914–919 (2017)
Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: Proceedings of the 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762 (2018)
Behfar, S.K., Hosseinpour, M.: Cascading impact of cyberattacks on multi-layer social networks. In: Proceedings of the 14th Mediterranean Conference on Information Systems, ITAIS and MCIS Catanzaro, Italy (2022)
Kikas, R., Gousios, G., Dumas, M., Pfahl, D.: Structure and evolution of package dependency networks. In: Proceedings of the IEEE/ACM 14th International Conference on Mining Software Repositories (2017)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Behfar, S.K. (2023). Exogenous and Endogenous Factors Leading to OSS Vulnerability: Study on Version Dependency Network. In: Arai, K. (eds) Advances in Information and Communication. FICC 2023. Lecture Notes in Networks and Systems, vol 651. Springer, Cham. https://doi.org/10.1007/978-3-031-28076-4_39
Download citation
DOI: https://doi.org/10.1007/978-3-031-28076-4_39
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-28075-7
Online ISBN: 978-3-031-28076-4
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)