A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities

Gkortzis, Antonios; Feitosa, Daniel; Spinellis, Diomidis

doi:10.1007/978-3-030-22888-0_13

Cited by 16 publications

(12 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The major issue with bloated dependencies is that the final deployed binary file includes more code than necessary: an artificially large binary is an issue when the application is sent over the network (e.g., web applications) or it is deployed on small devices (e.g., embedded systems). Bloated dependencies could also embed vulnerable code that can be exploited, while being actually useless for the application (Gkortzis et al 2019). Overall, bloated dependencies needlessly increase the difficulty of managing and evolving software applications.…”

mentioning

confidence: 99%

A comprehensive study of bloated dependencies in the Maven ecosystem

et al. 2021

View full text Add to dashboard Cite

Build automation tools and package managers have a profound influence on software development. They facilitate the reuse of third-party libraries, support a clear separation between the application’s code and its external dependencies, and automate several software development tasks. However, the wide adoption of these tools introduces new challenges related to dependency management. In this paper, we propose an original study of one such challenge: the emergence of bloated dependencies. Bloated dependencies are libraries that are packaged with the application’s compiled code but that are actually not necessary to build and run the application. They artificially grow the size of the built binary and increase maintenance effort. We propose DepClean, a tool to determine the presence of bloated dependencies in Maven artifacts. We analyze 9,639 Java artifacts hosted on Maven Central, which include a total of 723,444 dependency relationships. Our key result is as follows: 2.7% of the dependencies directly declared are bloated, 15.4% of the inherited dependencies are bloated, and 57% of the transitive dependencies of the studied artifacts are bloated. In other words, it is feasible to reduce the number of dependencies of Maven artifacts to 1/4 of its current count. Our qualitative assessment with 30 notable open-source projects indicates that developers pay attention to their dependencies when they are notified of the problem. They are willing to remove bloated dependencies: 21/26 answered pull requests were accepted and merged by developers, removing 140 dependencies in total: 75 direct and 65 transitive.

show abstract

mentioning

confidence: 99%

A comprehensive study of bloated dependencies in the Maven ecosystem

et al. 2021

View full text Add to dashboard Cite

show abstract

“…The counterargument to this is that reused software can become more secure through its maturity and extensive vetting by other users. [14] investigated 301 open-source projects through a holistic multiple case-study methodology. What was concluded was that security vulnerabilities increase as the project size of the reusable software increases, especially when the user doesn't have a deep technical understanding over what they are necessarily using; i.e.…”

Section: Legal Issuesmentioning

confidence: 99%

“…Security vulnerabilities ultimately link to legal issues as any cyber-attack, and subsequent loss of customer data, or business continuity may lead to legal challenges from customers, and thus a financial cost [15]. [14] summarized their findings with the comment "code reuse is neither a frightening werewolf introducing an excessive number of vulnerabilities nor a silver bullet for avoiding them". Legal issues surrounding software reuse can be summarized into three types of protection, namely patents, trademarks and author law.…”

Section: Legal Issuesmentioning

confidence: 99%

Current Issues in Software Re-Usability: A Critical Review of the Methodological & Legal Issues

Tariq¹

2020

JSEA

View full text Add to dashboard Cite

The main objective of this research is to discuss the current legal and methodological issues in the field of software Re-Usability. Though there are enormous online forums discussing such issues via Q&A but this paper is an attempt to raise the awareness about the legal issues, which a software engineer may trap into. The paper discussed the current issues with software reusability within the legal and methodological context. This paper applied an extensive literature review to critically appraise the past studies to come to a collective conclusion. Prior to discussing the issues, the benefits of reuse were mentioned, including the saving of time and cost for users. But legally the reuse of software assets creates complexities for the user in relation to meeting all the licensing requirements and dealing with the liability in case of a breach. Methodologically, there are major barriers to reused software when it comes to technical competence and managerial issues such as a lack of resources. Even when reusing software to save time, and leverage off the specialization of other authors, the end-user must also have the technical expertise to search, adapt and merge these reusable assets into the larger software infrastructure. The review ultimately shows the high barriers still remain to software reuse which could mean that smaller developers and businesses will still be reluctant to fully utilize open-source components to the best advantage.

show abstract

“…Despite the existence of security mishaps and the initiatives to counteract them, to the best of our knowledge, there is a lack of large-scale studies that attempt to obtain an overview of how security vulnerabilities are associated with code reuse, so as to understand the phenomenon. To start filling this gap, we carried out a first exploratory study (Gkortzis et al, 2019) to investigate how potential vulnerabilities are distributed in open-source software-intensive systems, with regards to native code, i.e., written in-house by the software development team, and reused code, introduced through dependencies. We scope our research to answer concerns of software practitioners and researchers related to the potential security risks when they select to reuse software.…”

Section: Introductionmentioning

confidence: 99%

“…To achieve this goal, we considered a new set of 1244 Java projects and collected both disclosed vulnerabilities (reported in public datasets), 8 and potential vulnerabilities (detected based through static analysis). Adding to the initial characteristics we investigated (Gkortzis et al, 2019), we collected information regarding four characteristics of the projects and dependencies of our dataset, namely, (1) supported by wellknown communities, (2) belonging to an enterprise organization, (3) the number of their contributors, and (4) the frequency of usage in projects. In addition to the statistical analysis presented in our previous work we extended our analysis to incorporate the aforementioned dimensions.…”

Section: Introductionmentioning

confidence: 99%