[论文解读] Do Developers Update Their Library Dependencies? An Empirical Study on the Impact of Security Advisories on Library Migration
本实证研究调查了开发者在4,659个GitHub项目中对过时第三方库依赖的安全通告的响应情况。尽管库被广泛重用,仍有81.5%的系统保留了过时的依赖,且69%受影响的开发者对漏洞一无所知,表明其对安全通告的响应度较低,凸显了依赖维护实践中的关键缺口。
Third-party library reuse has become common practice in contemporary software development, as it includes several benefits for developers. Library dependencies are constantly evolving, with newly added features and patches that fix bugs in older versions. To take full advantage of third-party reuse, developers should always keep up to date with the latest versions of their library dependencies. In this paper, we investigate the extent of which developers update their library dependencies. Specifically, we conducted an empirical study on library migration that covers over 4,600 GitHub software projects and 2,700 library dependencies. Results show that although many of these systems rely heavily on dependencies, 81.5% of the studied systems still keep their outdated dependencies. In the case of updating a vulnerable dependency, the study reveals that affected developers are not likely to respond to a security advisory. Surveying these developers, we find that 69% of the interviewees claim that they were unaware of their vulnerable dependencies. Furthermore, developers are not likely to prioritize library updates, citing it as extra effort and added responsibility. This study concludes that even though third-party reuse is commonplace, the practice of updating a dependency is not as common for many developers.
研究动机与目标
- 理解开发者在真实世界软件项目中更新其第三方库依赖的程度。
- 考察开发者对存在漏洞的库依赖的安全通告的响应方式。
- 识别影响库迁移决策的障碍与动因。
- 基于实证数据,从系统和库的双重视角建模库迁移模式。
- 为未来研究提供一个包含852,322次库依赖迁移的公开数据集。
提出的方法
- 收集并分析了4,659个GitHub项目,以追踪其库依赖版本随时间的变化。
- 利用版本历史和依赖元数据,追踪库版本之间的迁移事件以及跨不同库的迁移。
- 构建了库迁移图(LMP)以可视化迁移模式并识别趋势。
- 对69名受漏洞影响的开发者进行了调查,以评估其对漏洞的认知程度及迁移行为。
- 使用CVE数据库及其他来源识别安全通告,并将其映射到所研究项目中的漏洞依赖。
- 对8个项目的迁移决策进行了案例研究,以深入分析其决策过程。
实验结果
研究问题
- RQ1开发者在实际中在多大程度上更新其第三方库依赖?
- RQ2开发者对存在漏洞的库依赖的安全通告有多高的响应度?
- RQ3哪些因素影响开发者选择迁移或保留过时库版本的决策?
- RQ4开发者如何看待库更新所涉及的工作量、风险和责任?
- RQ5哪些模式和特征定义了不同系统和库之间的库迁移行为?
主要发现
- 在所研究的4,659个项目的81.5%中,其库依赖仍使用过时版本,表明库更新不及时的现象普遍存在。
- 尽管存在CVE通告,69%受漏洞影响的开发者对问题一无所知。
- 即使迁移在技术上可行,开发者往往更倾向于使用旧版本、更流行的库,而非更新、可能更安全的版本。
- 迁移的主要障碍包括缺乏认知、认为优先级较低,以及对依赖维护责任不明确。
- 仅靠安全通告不足以触发及时迁移,因为即使收到通知,许多开发者也未采取行动。
- 本研究揭示了理论上的依赖更新重要性与实际软件工程实践中真实世界开发之间的显著差距。
更好的研究,从现在开始
从论文设计到论文写作,大幅缩短您的研究时间。
无需绑定信用卡
本解读由 AI 生成,并经人工编辑审核。