What are Weak Links in the npm Supply Chain?

Zahan, Nusrat; Zimmermann, Thomas; Godefroid, Patrice; Murphy, Brendan; Maddila, Chandra; Williams, Laurie

doi:10.48550/arxiv.2112.10165

Cited by 1 publication

(4 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We collected the data for these three registries at the end of December 2021. For NPM, we use the dataset from [40] that was constructed in August 2021. While the download count can be inflated in different ways, including through CI/CD tooling, sampling the most downloaded packages to study a package ecosystem is an established approach [16,37] and provides an estimation of the most used packages in a registry.…”

Section: Package Selectionmentioning

confidence: 99%

“…Supply chain security: Recent works have focused on the secure use of open source dependencies as part of the software supply chain [24,31,40,41]. Duan et al have proposed static and dynamic analysis approaches to detect malicious packages for the interpreted languages [19], while Sejfia et al have proposed machine learning models to detect malicious npm packages [33].…”

Section: Related Workmentioning

confidence: 99%

“…Zimmermann et al [41] and Liu et al [27] have looked at the vulnerability propagation in the npm ecosystem, while Alfadel et al [14] have investigated the PyPI ecosystem. Similarly, Zahan et al [40] and Bommarito et al [16] have looked at various quality issues in the npm and PyPI ecosystems, respectively. Further, Imtiaz et al [23] have looked at how packages release security fixes with an ecosystem-wide analysis for seven package registries.…”

Section: Related Workmentioning

confidence: 99%

“…While the existence of malicious packages in different ecosystems is well-known [31], popular packages from reliable sources can also be compromised, such as through: (1) hijacking of a maintainer's account; (2) a maintainer going rogue; (3) account handover through social engineering; and (4) build system compromise. [31,40] Therefore, practitioners are now recommended to review dependency updates before merging them into the codebase [3,39], as the responsibility of security lies on the consumer when using free open-source code [38]. However, manually reviewing all the code changes in each update may not be a practical solution, as projects may have hundreds of direct and transitive dependencies [24,34].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Are your dependencies code reviewed?: Measuring code review coverage in dependency updates

Imtiaz¹,

Williams²

2022

Preprint

Self Cite

View full text Add to dashboard Cite

As modern software extensively uses free open source packages as dependencies, developers have to regularly pull in new third-party code through frequent updates. However, without a proper review of every incoming change, vulnerable and even malicious code can sneak into the codebase through these dependencies. The goal of this study is to aid developers in securely accepting dependency updates by measuring if the code changes in an update have passed through a code review process. We implement DepDive, an update audit tool for packages in Crates.io, npm, PyPI, and RubyGems registry. DepDive first (i) identifies the files and the code changes in an update that cannot be traced back to the package's source repository, i.e., phantom artifacts; and then (ii) measures what portion of changes in the update, excluding the phantom artifacts, has passed through a code review process, i.e., code review coverage.Using DepDive, we present an empirical study across the latest ten updates of the most downloaded 1000 packages in each of the four registries. Our study unveils interesting insights while also providing an evaluation of our proposed approach. We find that phantom artifacts are not uncommon in the updates (20.1% of the analyzed updates had at least one phantom file). The phantoms can appear either due to legitimate reasons, such as in the case of programmatically generated files, or from accidental inclusion, such as in the case of files that are ignored in the repository. However, without provenance tracking, we cannot audit if the changes in these phantom artifacts were code-reviewed or not.Regarding code review coverage (CRC), we find the updates are typically only partially code-reviewed (52.5% of the time). Further, only 9.0% of the packages had all their updates in our data set fully code-reviewed, indicating that even the most used packages can introduce non-reviewed code in the software supply chain. We also observe that updates either tend to have very high CRC or very low CRC, suggesting that packages at the opposite end of the spectrum may require a separate set of treatments.

show abstract

Section: Package Selectionmentioning

confidence: 99%