On the other hand, External PRs also cover new features (380 out of 384 PRs) and bugs (120 out of 384). Differently from Internal PRs, External PRs cover documentation changes (44 out of 384 PRs), while not having as much refactoring (34 out of 384 PRs).
Moreover, fixes also belong to labels such as breaking changes, urgent, and on-hold. We find that 26.75% of External PRs submitted fix existing issues. Through a preliminary analysis, we find that External PRs are prevalent, and just as likely to be accepted as maintainer PRs. In this paper, we investigate the role by which External PRs (contributions from outside the core team of maintainers) contribute to a library. On the other hand, being open source has the benefit of receiving contributions (in the form of External PRs) to help fix bugs and add new features. These libraries may rely on a core team of maintainers (who might be a single maintainer that is unpaid and overworked) to serve a massive client user-base. The risk to using third-party libraries in a software application is that much needed maintenance is solely carried out by library maintainers. , a novel test suite with 2,505 test cases that allow replicating the modifications on open-source dependencies. The results show that none of the scanners is able to handle all the types of modifications identified. We assessed the impact of these modifications on the performance of the open-source vulnerability scanners OWASP Dependency-Check (OWASP) and Eclipse Steady, GitHub Security Alerts, and three commercial scanners. In particular, we found that more than 87 percent (56 percent, resp.) of the vulnerable Java classes considered occur in Maven Central in re-bundled (re-packaged, resp.) form. , we identified four types of modifications: re-compilation, re-bundling, metadata-removal and re-packaging.
Through an empirical study on 7,024 Java projects developed at
This paper studies (i) types of modifications that may affect vulnerable open-source dependencies and (ii) their impact on the performance of vulnerability scanners. Several vulnerability scanners to detect known-vulnerable dependencies appeared in the last decade, however, there exists no case study investigating the impact of development practices, e.g., forking, patching, re-bundling, on their performance. The use of vulnerable open-source dependencies is a known problem in today's software development.
0 kommentar(er)
