Embedded Files
RQ3 conducted an analysis of how users address the vulnerabilities at a finer granularity by investigating the modification history of the Golang dependency manifest file go.sum for each affected dependent module.
DataSet of RQ3
We gathered and downloaded all dependents stored in GitHub that met the criteria of having a vulnerability with T_fix (fix commit time) after April 10, 2019. Subsequently, we analyzed the Git history to obtain the T_dept (dependent fix time). Analyzing the results led to the discovery of Finding 6 and Finding 7.
The dataset containing dependency relations is notably extensive, comprising a substantial 476 million entries and occupying a considerable 122 GB in size.
The dataset comprising information on vulnerabilities encompasses 1269 entries, with a file size of 1718 KB. This dataset includes details such as the CVE-ID, reference links, affected modules, and associated repositories.
The repository information dataset comprises 441 entries and occupies 6580 KB in size. This dataset includes information related to vulnerabilities, commits, issues, and tags associated with the repositories.
The dataset containing vulnerability information consists of 1269 entries and occupies 455 KB in size. It includes information on the repository, CVE-ID, normal release cycle ranges, T_fix, T_ver, T_index, LT_ver, Lag_ver, and Lag_index.
The dataset containing repository information consists of 451,000 entries and occupies 511 MB in size.
The dataset containing repository information comprises 2.4 million entries and occupies 635 MB in size. It includes precise fixing times and fixing models for each dependent.
Findings
Finding-6: Only nearly a quarter of the VDs(we quantified the vulnerability and dependent mappings using a unit that amalgamates a vulnerability with its dependent, referred to as a vulnerability-dependent, or VD) have implemented measures to address the vulnerabilities. Among these VDs, the majority (66.12%) opted to update the vulnerable version. Out of them, 70.68% utilized the patch version to fix the vulnerabilities instead of utilizing the pseudo-version.
This finding employs the Dependencies Relations dataset, Vulnerabilities Information dataset, and Repositories Information dataset, subjecting them to analysis for the purpose of generating the Analyzing Dependents dataset. Subsequently, these dependents are downloaded, and based on the Vulnerabilities Information dataset and Repositories Information dataset, the git history of go.sum is analyzed to produce the Exactly Fixing Time dataset. The Exactly Fixing Time dataset is then subjected to analysis.
Finding-7: Using the patch version was the preferred method for fixing vulnerabilities among most users, with 47.49% of all VDs. Maintainers should release patch versions as soon as possible when fixing commits are available.
This finding employs the Exactly Fixing Time dataset and Vulnerability Tag Interval Information dataset, subjecting them to analysis.
Page updated
Google Sites
Report abuse