Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem
CoRR(2023)
摘要
Open-source software (OSS) greatly facilitates program development for
developers. However, the high number of vulnerabilities in open-source software
is a major concern, including in Golang, a relatively new programming language.
In contrast to other commonly used OSS package managers, Golang presents a
distinctive feature whereby commits are prevalently used as dependency versions
prior to their integration into official releases. This attribute can prove
advantageous to users, as patch commits can be implemented in a timely manner
before the releases. However, Golang employs a decentralized mechanism for
managing dependencies, whereby dependencies are upheld and distributed in
separate repositories. This approach can result in delays in the dissemination
of patches and unresolved vulnerabilities.
To tackle the aforementioned concern, a comprehensive investigation was
undertaken to examine the life cycle of vulnerability in Golang, commencing
from its introduction and culminating with its rectification. To this end, a
framework was established by gathering data from diverse sources and
systematically amalgamating them with an algorithm to compute the lags in
vulnerability patching. It turned out that 66.10
ecosystem were affected by vulnerabilities. Within the vulnerability life
cycle, we found two kinds of lag impeding the propagation of vulnerability
fixing. By analyzing reasons behind non-lagged and lagged vulnerabilities,
timely releasing and indexing patch versions could significantly enhance
ecosystem security.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要