Investigating the Resolution of Vulnerable Dependencies with Dependabot Security Updates

Hamid Mohayeji, Andrei Agaronian, Eleni Constantinou, Nicola Zannone, Alexander Serebrenik

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

2 Citaten (Scopus)

Samenvatting

Modern software development practices increasingly rely on third-party libraries due to the inherent benefits of reuse. However, libraries may contain security vulnerabilities that can propagate to the dependent applications. To counter this, maintainers of dependent projects should monitor their dependencies and security reports to ensure that only patched releases of the upstream applications are in use. As manual maintenance of dependencies has shown to be ineffective, several automated tools (aka bots) have been proposed to assist developers in rapidly identifying and resolving vulnerable dependencies.

In this work, we focus on Dependabot, a popular bot providing security and version updates, and study developers' receptivity to its security updates in engineered and actively maintained JavaScript projects. Moreover, we carry out a fine-grained analysis of the lifecycle of every vulnerability to manifest how they are dealt with in the presence of Dependabot.

Our findings show that the task of fixing vulnerable dependencies is, to a large extent, delegated to Dependabot and that developers merge the majority of security updates within several days. On the other hand, when developers do not merge a security update, they usually address the identified vulnerability manually. This approach, however, often takes up to several months which in turn could expose the projects to security issues.
Originele taal-2Engels
TitelProceedings - 2023 IEEE/ACM 20th International Conference on Mining Software Repositories, MSR 2023
UitgeverijInstitute of Electrical and Electronics Engineers
Pagina's234-246
Aantal pagina's13
ISBN van elektronische versie9798350311846
DOI's
StatusGepubliceerd - 2023
Evenement20th IEEE/ACM International Conference on Mining Software Repositories, MSR 2023 - Melbourne, Australië
Duur: 15 mei 202316 mei 2023

Congres

Congres20th IEEE/ACM International Conference on Mining Software Repositories, MSR 2023
Land/RegioAustralië
StadMelbourne
Periode15/05/2316/05/23

Bibliografische nota

Publisher Copyright:
© 2023 IEEE.

Vingerafdruk

Duik in de onderzoeksthema's van 'Investigating the Resolution of Vulnerable Dependencies with Dependabot Security Updates'. Samen vormen ze een unieke vingerafdruk.

Citeer dit