Reducing time of vulnerability exposure in open source software usage for public sector software development
Art der Abschlussarbeit
Status der Arbeit
Hintergrundinformationen zu der Arbeit
Open source software is an integral part of modern software development. Often-named
benefits are increased speed and cost-effectiveness of development, improved security, and
higher quality in software. Furthermore, using open source is considered a vital part for
achieving digital sovereignty in public sectors, i.a. in Europe and Germany. However,
developers integrating open source software as dependencies in their projects also holds risks.
Vulnerable dependencies are a known threat in open source ecosystems, yet developers often
do not update their dependencies to safe versions to remediate the vulnerability exposure
introduced by those.
This thesis followed a human-centered design process to identify possible reasons for this
neglect and aimed at developing an approach to reduce the time of exposure to vulnerabilities
in used open source software. Developers not, or only reluctantly, updating their vulnerable
dependencies is traced back to uncertain impact on their projects, the risk of breaking
changes, and the inability to estimate potential migration effort upfront accurately. Semantic
versioning as convention is not consistently followed in new releases by package maintainers
to the extent that developers do not trust dependency versions to assess retained backward
compatibility. Different automated remediation tools exist that support developers in
identifying vulnerable dependency versions. However, they stall at supporting developers
to pinpoint and migrate breaking dependency changes in remediating updates.
In order to support developers in migrating safe, remediating dependency versions faster, an
interface was developed to let developers review breaking changes in dependency updates
that potentially affect their projects before applying them. The interface was implemented
as a frontend prototype integrated into the Debricked Software Composition Analysis tool,
the cooperation partner of this thesis. Conducted user evaluations affirmed improvements
in the users’ perceived ability to accurately assess and faster resolve needed migration
efforts with the prototype.