ResourcesResearchEmpirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem
Research
Published on
September 1, 2024

Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem

Written By
Ding Sun
Zeyan Liu
Share

How can we effectively detect and address known vulnerabilities in existing Golang code bases to enhance software security and reliability?

We recently conducted an insightful interview with researchers Jinchang Hu from Army Engineering University of PLA and Prof. Yang Liu from NTU. Our discussion focused on the pervasive impact of known vulnerabilities within the Golang ecosystem and explored how their innovative approaches can mitigate these challenges. Notably, this work has been published by ICSE 2024. Stay tuned for key takeaways and expert perspectives on enhancing software security and reliability in decentralized ecosystems.

Scantist: Could you provide a brief overview of the motivation behind conducting this study on the vulnerabilities life cycle in the Golang ecosystem?

Jinchang: The study was motivated by the unique challenges posed by Golang’s decentralized dependency management mechanism. Unlike centralized ecosystems that use a registry for dependency management, Golang allows direct repository imports using commit hashes. This can lead to significant delays in the dissemination of patches, as dependencies are distributed in separate repositories. These delays result in prolonged exposure to vulnerabilities, impacting the overall security of the ecosystem. By investigating the life cycle of vulnerabilities from their introduction to their resolution, we aimed to identify the extent of these delays and propose solutions to enhance ecosystem security.

RQ1: Vulnerability Impact Analysis

Scantist: To what extent do TPL vulnerabilities affect modules in the Golang ecosystem? Jinchang: Our analysis found that 66.10% of Golang modules are affected by vulnerabilities. This high percentage illustrates the widespread impact of third-party library (TPL) vulnerabilities within the ecosystem. Additionally, we discovered that 62.85% of these affected modules had not yet fixed the vulnerabilities by the data collection date. This highlights the persistent nature of the problem and the need for more effective vulnerability management practices. The data also showed that the number of affected downstream dependents has been increasing over the years, indicating that vulnerabilities from past years continue to propagate and affect new projects.

Scantist: What trends did you observe regarding the proportion of affected downstream dependents over the years?

Jinchang: We observed that the proportion of affected downstream dependents has increased steadily over the years. Even vulnerabilities identified in 2019 and earlier continue to impact new and existing dependents, demonstrating the persistent and growing nature of the problem. The data indicates that despite efforts to fix some vulnerabilities, the overall number of affected dependents has not decreased significantly. This suggests that the ecosystem is not effectively containing the spread of vulnerabilities, and that legacy vulnerabilities continue to affect an increasing number of dependents, maintaining a steady proportion of affected modules while the ecosystem grows.

RQ2: Patch Lagging Analysis

Scantist: How long does it typically take to release and index patch versions for vulnerabilities in the Golang ecosystem?

Jinchang: Our findings show significant delays in both the release and indexing of patch versions. Specifically, 67.09% of vulnerabilities had their patch versions indexed within a week, indicating a prompt response for some vulnerabilities. However, 21.94% of vulnerabilities had patch versions that were never indexed in the Golang Index, primarily due to limited usage and lack of proactive maintenance by module maintainers. Furthermore, 32% of vulnerabilities did not have their patch versions released within a timely manner, with some taking over a month or even a year to be tagged after the fixing commit. These delays hinder the prompt propagation of patches to users.

Scantist: What factors contribute to these delays in releasing and indexing patch versions?

Jinchang: Several factors contribute to the delays in releasing and indexing patch versions. Firstly, the decentralized nature of Golang’s dependency management leads to complex repository management strategies, where fixing commits may be spread across multiple branches, causing delays in tagging and releasing patch versions. Secondly, maintainers often prioritize feature development over vulnerability fixes, leading to infrequent and delayed releases. Additionally, some maintainers may not be aware of the urgency of indexing patch versions in the Golang Index, resulting in unindexed patches. Lastly, compatibility concerns and testing requirements can further delay the release and indexing process, exacerbating the problem

.

RQ3: Dependents Vulnerability Fixing

Scantist: What are the fixing lags by dependents, and what factors could facilitate the fixing process?

Jinchang: The study revealed that only 4.51% of dependents addressed all vulnerabilities, while 71.87% did not address any. This highlights significant fixing lags among dependents. Factors that could facilitate the fixing process include timely release and indexing of patch versions, increased awareness of vulnerabilities among developers, and integration of third-party vulnerability checks into CI/CD pipelines. Our analysis showed that dependents are more likely to update to patch versions when they are readily available and indexed. Therefore, maintaining an up-to-date index and ensuring the availability of patch versions are crucial steps in reducing fixing lags.

Scantist: How do dependents typically address vulnerabilities in their dependencies?

Jinchang: Dependents typically address vulnerabilities through three main methods: removing the vulnerable module, upgrading to pseudo-versions, or updating to patch versions. Our findings indicate that using patch versions is the preferred method for fixing vulnerabilities, with 47.49% of all vulnerability-dependent mappings using this approach. This preference underscores the importance of timely releasing and indexing patch versions. When patch versions are unavailable, dependents often resort to using pseudo-versions or removing the vulnerable module entirely. However, these methods are less favored due to potential compatibility issues and the lack of stability associated with pseudo-versions.

RQ4: Inquiry of Reasons for Lags

Scantist: What are the main reasons for patch lagging regarding both module maintainers and users?

Jinchang: The main reasons for patch lagging include delays in tagging patch versions due to complex repository management, infrequent release cycles, and the subjective prioritization of maintainers. Maintainers may delay tagging and releasing patch versions to wait for additional feature additions or due to the complexity of managing multiple branches. For users, lack of awareness of available patches and compatibility concerns also contribute to delays in addressing vulnerabilities. Additionally, some maintainers prefer using pseudo-versions or master branches for updates, which can lead to further delays and

Scantist: How can the Golang community improve the timely propagation of patches to enhance ecosystem security?

Jinchang: The Golang community can improve the timely propagation of patches by adopting several key practices. Firstly, maintainers should prioritize timely tagging and indexing of patch versions to ensure they are readily available to users. Secondly, integrating vulnerability checks into CI/CD pipelines can help developers stay aware of and promptly address vulnerabilities. Additionally, establishing a centralized database for vulnerability and patch data would aid in the efficient distribution of fixes. Finally, encouraging better communication and collaboration between maintainers and users can help ensure that patches are applied quickly and effectively across the ecosystem.

Scantist: What are the key takeaways from your study for the Golang ecosystem and the broader open-source community?

Jinchang: The key takeaways from our study emphasize the need for improved practices in vulnerability management within the Golang ecosystem. Timely release and indexing of patch versions, better compatibility management, and proactive vulnerability checks are essential for enhancing ecosystem security. The study highlights the persistent nature of vulnerabilities and the significant impact they have on downstream dependents. For the broader open-source community, our findings underscore the importance of adopting centralized and standardized vulnerability management practices to ensure timely and effective remediation of vulnerabilities, ultimately improving the security and resilience of open-source software.