Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem
Introduction
The growth of software complexity has boosted component-based software development, and third-party libraries (TPLs) have been widely adopted as dependencies to reuse existing wheels and reduce development costs. we analyzed the impact of vulnerabilities and found that 66.10% of modules in the Golang ecosystem have versions with vulnerabilities, but few developers fix them, while 62.85% of the modules have yet to address these vulnerabilities. In the case of the dependents that we downloaded and use Go Modules, we found that only approximately a quarter of the VDs (vulnerability-dependent) implemented measures to address the vulnerabilities, with 66.12% opting to update the vulnerable version.
Overview
Main Contribution
We conducted large-scale analyses to evaluate the time lag of fixing vulnerabilities in Golang ecosystem.
We interacted with maintainers and users through inquiries to gain insights into the reasons for delayed patching and offered recommendations to potentially shorten the vulnerability life cycle.
Research Questions
RQ1: Vulnerability Impact Analysis. To what extent could TPL vulnerabilities affect modules in the Golang ecosystem?
RQ2: Patch Lagging Analysis. How long does it take to release and index the patch versions?
RQ3: Dependents Vulnerability Fixing. What are the fixing lags by dependents, and quantitatively what factors could facilitate the fixing?
RQ4: Inquiry of Reasons for Lags. What are the reasons for the patch lagging regarding both module maintainers and users?
Conclusion
Our analysis revealed that vulnerabilities had a significant impact on 66.10% of the modules, while $62.85\%$ of the dependents had not addressed these vulnerabilities. We quantitatively proved that the timely patch release and indexing could greatly facilitate the patch adoption by downstream users. Through the inquiries about reasons behind lagged patch release, indexing, and adoption, we learned that the maintainers have not fully utilized the Golang pre-release mechanism to accelerate patch propagation. And users are inclined to adopt patches if they are properly and timely pushed with patch updates. We further provided recommendations for the maintainers, users, and the package manager to enhance the security of Golang ecosystem.