Embedded Files
RQ2 employed the timestamps T_fix (fixing commit time), T_ver (version release time), and T_index (Golang Index publish time) to calculate the lags Lag_ver and Lag_index.
DataSet of RQ2
We calculated the LT_ver (lead time), normal version release cycle ranges for every vulnerability's repository, and Lag_index (Lag index time). Analyzing the results led to the discovery of Finding 3, Finding 4 and Finding 5.
The dataset comprising information on vulnerabilities encompasses 1269 entries, with a file size of 1718 KB. This dataset includes details such as the CVE-ID, reference links, affected modules, and associated repositories.
The repository information dataset comprises 441 entries and occupies 6580 KB in size. This dataset includes information related to vulnerabilities, commits, issues, and tags associated with the repositories.
The dataset containing dependency relations is notably extensive, comprising a substantial 18 million entries and occupying a considerable 2.6 GB in size. This dataset includes information on module names, versions, and the time of first occurrence.
The dataset containing vulnerability information consists of 1269 entries and occupies 455 KB in size. It includes information on the repository, CVE-ID, normal release cycle ranges, T_fix, T_ver, T_index, LT_ver, Lag_ver, and Lag_index.
Findings
Finding-3: 34.6% of vulnerabilities were observed to have released patch versions for their vulnerable modules by more than a week after fixing commits, which could impede patch propagation in the Golang Ecosystem. 130 vulnerabilities released versions after fixing commits for 1 month, which could impede patch propagation in the Golang Ecosystem.
Finding-4: Modules of 11.42% of vulnerabilities had patch version release lags, which could cause vulnerable downstream libraries and projects. For vulnerabilities with Lag_ver>1week, 67.66% of them actually had normal version release cycles.
Finding-3 and Finding-4 employ the Vulnerabilities Information dataset and Repositories Information dataset. These datasets are scrutinized to produce the Vulnerability Tag Interval Information dataset. Utilizing the Vulnerabilities Information dataset and Repositories Information dataset, the values for T_fix and T_ver are obtained, and the normal release cycle ranges are computed. Subsequently, the Vulnerability Tag Interval Information is generated and subjected to analysis.
Finding-5: A majority (67.09%) of vulnerabilities, demonstrated a swift patch version indexing. However, it is concerning that the patch versions of 21.94% of vulnerabilities were not indexed in the Golang Index.
This finding utilizes the Golang Index Information for the purpose of updating the Vulnerability Tag Interval Information dataset. T_index and Lag_index are incorporated into the Vulnerability Tag Interval Information, followed by a subsequent analysis of the dataset.
Page updated
Google Sites
Report abuse