@article{10.1145/3472811,
author = {D\"{u}sing, Johannes and Hermann, Ben},
title = {Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {0},
number = {ja},
issn = {2692-1626},
url = {https://doi.org/10.1145/3472811},
doi = {10.1145/3472811},
abstract = {In modern-day software development, a vast amount of public software libraries enable
the reuse of existing implementations. While this practice does yield significant
benefits in productivity, it also puts an increasing amount of responsibility on library
maintainers. Given the fact that libraries are often interconnected, the impact of
a single vulnerability may be large, and is hard to quantify. Recent studies indicate
that developers in fact struggle with upgrading vulnerable dependencies, despite an
ever-increasing support by automated tools. With our work we improve on this situation
by providing an in-depth analysis on how developers handle dependency upgrades. In
order to do so, we contribute a miner for artifact dependency graphs, which also annotates
vulnerability information. We execute our application and generate a data set for
Maven Central, NuGet.org and the NPM Registry. Afterwards, we conduct an extensive
analysis on our data, which is aimed at understanding the impact of vulnerabilities
for the three different repositories. Finally, we summarize the resulting risks and
derive mitigation strategies based on our findings. For all repositories we found
that vulnerabilities influence libraries via long transitive dependency chains, and
that vulnerable libraries may affect thousands of other libraries transitively.},
journal = {Digital Threats: Research and Practice}
}