In Dependencies We Trust: How vulnerable are dependencies in software modules?

In Dependencies We Trust: How vulnerable are dependencies in software modules?

Hejderup, J.I.

Van Deursen, A. (mentor)
Mesbah, A. (mentor)

Electrical Engineering, Mathematics and Computer Science

Department of Software Technology

Software Engineering Research Group

2015-05-13

Web-enabled services hold valuable information that attracts attackers to exploit services for unauthorized access. The transparency of Open-Source projects, shallow screening of hosted projects on public software repositories and access to vulnerability databases pave the way for attackers to gain strategic information to exploit software systems using vulnerable third-party source code. In this thesis, we explore the character of JavaScript modules relying on vulnerable components from a dependency viewpoint. We studied the npm registry, a popular centralized repository for hosting JavaScript modules by using information from security advisories in order to determine: prevalence of modules depending on vulnerable dependencies, the propagation in the dependency chain and the time window to resolve a vulnerable dependency. This was followed by a qualitative study to understand dependency management practices in order to investigate why dependencies remain unchanged. The outcome of this study shows that one-third of the modules using at least one advisory dependency resolve to a vulnerable version. The qualitative study suggested that a majority of the modules lacked awareness or discussion about known vulnerabilities. Furthermore, the key findings indicate that the context use of the module and breaking changes are potential reasons for not resolving the vulnerable dependency.

Software Security
JavaScript
Node.js
Known Vulnerabilties

http://resolver.tudelft.nl/uuid:3a15293b-16f6-4e9d-b6a2-f02cd52f1a9e

2015-05-14

Student theses

master thesis

(c) 2015 Hejderup, J.I.