Paper Accepted for ACM DTRAP Journal
In our paper, we present an in-depth analysis on how and when library maintainers react to the disclosure and publication of vulnerabilities, and how long it takes to release appropriate patches. We especially focus on vulnerabilities contained in transitive dependencies, as those are often hard to identify both for maintainers and software developers.
In order to do so, we present a tool that accumulates the artifact dependency graphs for entire artifact repositories, and execute it for Maven Central, the NPM Registry and NuGet.org. We further annotate those dependency graphs with verified information on vulnerabilities (provided by Snyk Ltd.), enabling us to analyze the direct and transitive influence that vulnerabilities may have. Our final data set contains information on a total of 21.8 million software artifacts spread across 1.9 million libraries, and incorporates 7110 vulnerabilities.
The ACM Digital Threats: Research and Practice (DTRAP) journal started in 2020 and aims to bridge the existing gap between academic research and industry pratice. Our paper will be published in a special journal issue on vulnerabilities.