Reducing time of vulnerability exposure in open source software usage for public sector software development

Open source software is an integral part of modern software development. Often-named

benefits are increased speed and cost-effectiveness of development, improved security, and

higher quality in software. Furthermore, using open source is considered a vital part for

achieving digital sovereignty in public sectors, i.a. in Europe and Germany. However,

developers integrating open source software as dependencies in their projects also holds risks.

Vulnerable dependencies are a known threat in open source ecosystems, yet developers often

do not update their dependencies to safe versions to remediate the vulnerability exposure

introduced by those.

This thesis followed a human-centered design process to identify possible reasons for this

neglect and aimed at developing an approach to reduce the time of exposure to vulnerabilities

in used open source software. Developers not, or only reluctantly, updating their vulnerable

dependencies is traced back to uncertain impact on their projects, the risk of breaking

changes, and the inability to estimate potential migration effort upfront accurately. Semantic

versioning as convention is not consistently followed in new releases by package maintainers

to the extent that developers do not trust dependency versions to assess retained backward

compatibility. Different automated remediation tools exist that support developers in

identifying vulnerable dependency versions. However, they stall at supporting developers

to pinpoint and migrate breaking dependency changes in remediating updates.

In order to support developers in migrating safe, remediating dependency versions faster, an

interface was developed to let developers review breaking changes in dependency updates

that potentially affect their projects before applying them. The interface was implemented

as a frontend prototype integrated into the Debricked Software Composition Analysis tool,

the cooperation partner of this thesis. Conducted user evaluations affirmed improvements

in the users’ perceived ability to accurately assess and faster resolve needed migration

efforts with the prototype.