Embedded Files
Validation Dataset of DTReme
Validation Dataset of DTReme
We select the top 1K most stared repositories from Github,
Star numbers of the first 480 selected repositories are over 10k
Star numbers of the first 153 selected repositories are over 20k
Exclusion:
115 have no package.json, (No dependency configuration)
239 use yarn, (Yarn has different dependency strategies, can remediate if the yarn.lock can be also generated)
27 have no dependencies, (No need to remediate)
159 have dependencies not in NPM registry (can not capture the missed package in DVGraph and can not resolve the corrsponding dependency relation).
The rest 460 projects are selected as experimental data.
Results
Results
Overall, our DTReme handles more vulnerabilities than npm audit fix.
Among the 262 projects that have vulnerabilities in their dependencies, the performance of our DTReme is better than npm audit fix in 77 projects (i.e., the deep gray cell), while only 30 projects (i.e., the light gray cell) are opposite. However, these 30 cases are because that sometimes npm audit fix remediates vulnerabilities by violating direct dependency constraints, and our remediation follows user-defined dependency constraint strictly.
Besides, among the 155 projects that DTReme and npm audit fix have the same performance, DTReme reduces more vulnerable paths introduced by these vulnerable points in 16 projects.
Experimental Data
Experimental Data
Dependency Data
The raw data is organized as a json file for each selected github projects, they are organized as follow:
id: the id of the project.
exists_package_json: whether this project contains a "package.json" file.
exists_package_lock: whether this project contains a "package-lock.json" file.
exists_yarn_lock: whether this project contains a "yarn.lock" file.
package_json: the content in the "package.json" file if exists.
package-lock: the content in the "package-lock.json" file if exists.
yarn-lock: the content in the "yarn.lock" file if exists.
installDep: the dependency tree obtained from installation (Physical Tree).
audit: the output from "npm audit" when we run it on the installed dependencies.
auditDep: the dependency tree after we run "npm audit fix".
remeDep: the dependency tree after we run DTReme.
Compare Data
The compare data is also organized as a json file for each selected github projects, they are organized as follow:
id: the id of the project.
audit: the vulnerable points and vulnerable paths in the installed dependency tree of this project.
audit_fix: the vulnerable points and vulnerable paths in the dependency tree of this project after run "npm audit fix".
remediation_fix: the vulnerable points and vulnerable paths in the dependency tree of this project after run DTReme.
The structure of each content is organized as:
{
<vulnerable points (lib:ver)>: [[vul path 1], [vul path 2], ... [vul path n]],
...
}
Page updated
Google Sites
Report abuse