Skip to main content
SpringerLink
Log in

Exogenous and Endogenous Factors Leading to OSS Vulnerability: Study on Version Dependency Network

  • Conference paper
  • First Online:
Advances in Information and Communication (FICC 2023)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 651))

Included in the following conference series:

  • 622 Accesses

Abstract

Pursuant to many open-source software (OSS) vulnerability incidents, various research institutes and firms have attempted to either identify the most commonly used OSS components, and examine for potential vulnerabilities and possible investments, or produce tools to detect OSS vulnerabilities by thorough inspection. Although these firms aim to identify vulnerabilities as many as possible, but produce too many alarms, and many false alarms. At the same time, one of the major assumptions in various importance and security studies is that packages keep same dependencies over time, i.e., all dependencies are calculated without considering version information, however this is a wrong assumption, for instance when the gem package “spruz” is scored highly risky, because it depended on previous versions of some popular packages, “json_pure”. Having included version dependency, “spruz” would not have scored high importance. Therefore, it is important to investigate package version vulnerability rather than project vulnerability, also discuss research questions as 1) what factors could lead to package vulnerability? Also knowing these factors, can one narrow down vulnerability search? For this purpose, we build a version dependency network combining various sources; on the other hand, we collect vulnerabilities from different repositories. We investigate the impact of network exposure and other exogenous and endogenous factors such as contributors count, open issues count, version age and number of forks on latest package version vulnerability.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 249.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Paulson, J.W., Succi, G., Eberlein, A.: An empirical study of open-source and closed-sou software products search Abstract. Poista 30(4), 246–256 (2004)

    Google Scholar 

  2. Synopsis: Open-Source Security and Risk Analysis. Synopsys Center for Open-Source Research & Innovation (2018)

    Google Scholar 

  3. Schryen, G.: Security of open source and closed source software: An empirical comparison of published vulnerabilities. In: Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California (2009)

    Google Scholar 

  4. Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the Symposium and Bootcamp on the Science of Security (2015)

    Google Scholar 

  5. Hall, T., Beecham, S., Bowes, D., Gray, D., Counsell, S.: A systematic literature review on fault prediction performance in software engineering. IEEE Trans. Softw. Eng. 38(6), 1276–1304 (2011)

    Article  Google Scholar 

  6. Wartschinski, L.: Detecting Software Vulnerabilities with Deep Learning. Humboldt-Universität zu Berlin Mathematisch-Naturwissenschaftliche Fakultät Institut für Informatik (2019)

    Google Scholar 

  7. Yu, Z., Theisen, C., Williams, L., Menzies, T.: Improving vulnerability inspection efficiency using active learning. IEEE Trans. Softw. Eng. (2019)

    Google Scholar 

  8. Zhou, Y., and Sharma, A.: Automated identification of security issues from commit messages and bug reports. In: Proceedings of the 11th Joint Meeting on Foundations of Software Engineering, pp. 914–919 (2017)

    Google Scholar 

  9. Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: Proceedings of the 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762 (2018)

    Google Scholar 

  10. Behfar, S.K., Hosseinpour, M.: Cascading impact of cyberattacks on multi-layer social networks. In: Proceedings of the 14th Mediterranean Conference on Information Systems, ITAIS and MCIS Catanzaro, Italy (2022)

    Google Scholar 

  11. Kikas, R., Gousios, G., Dumas, M., Pfahl, D.: Structure and evolution of package dependency networks. In: Proceedings of the IEEE/ACM 14th International Conference on Mining Software Repositories (2017)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Systems, Geneva School of Business Administration (HES-SO Genève), Carouge, Switzerland

    Stefan Kambiz Behfar

Authors
  1. Stefan Kambiz Behfar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefan Kambiz Behfar .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Behfar, S.K. (2023). Exogenous and Endogenous Factors Leading to OSS Vulnerability: Study on Version Dependency Network. In: Arai, K. (eds) Advances in Information and Communication. FICC 2023. Lecture Notes in Networks and Systems, vol 651. Springer, Cham. https://doi.org/10.1007/978-3-031-28076-4_39

Download citation

Publish with us

Policies and ethics

Search

Navigation