{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,10]],"date-time":"2026-04-10T16:13:29Z","timestamp":1775837609796,"version":"3.50.1"},"reference-count":43,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2022,2,7]],"date-time":"2022-02-07T00:00:00Z","timestamp":1644192000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2022,12,31]]},"abstract":"<jats:p>In modern-day software development, a vast amount of public software libraries enable the reuse of existing implementations for reoccurring tasks and common problems. While this practice does yield significant benefits in productivity, it also puts an increasing amount of responsibility on library maintainers. If a security flaw is contained in a library release, then it may directly affect thousands of applications that are depending on it. Given the fact that libraries are often interconnected, meaning they are depending on other libraries for certain sub-tasks, the impact of a single vulnerability may be large, and is hard to quantify. Recent studies have shown that developers in fact struggle with upgrading vulnerable dependencies, despite ever-increasing support by automated tools, which are often publicly available. With our work, we aim to improve on this situation by providing an in-depth analysis on how developers handle vulnerability patches and dependency upgrades. To do so, we contribute a miner for artifact dependency graphs supporting different programming platforms, which annotates the graph with vulnerability information. We execute our application and generate a data set for the artifact repositories Maven Central, NuGet.org, and the NPM Registry, with the resulting graph being stored in a Neo4j graph database. Afterwards, we conduct an extensive analysis of our data, which is aimed at understanding the impact of vulnerabilities for the three different repositories. Finally, we summarize the resulting risks and derive possible mitigation strategies for library maintainers and software developers based on our findings. We found that NuGet.org, the smallest artifact repository in our sample, is subject to fewer security concerns than Maven Central or the NPM Registry. However, for all repositories, we found that vulnerabilities may influence libraries via long transitive dependency chains and that a vulnerability in a single library may affect thousands of other libraries transitively.<\/jats:p>","DOI":"10.1145\/3472811","type":"journal-article","created":{"date-parts":[[2021,7,2]],"date-time":"2021-07-02T13:09:02Z","timestamp":1625231342000},"page":"1-25","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":23,"title":["Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories"],"prefix":"10.1145","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9367-2206","authenticated-orcid":false,"given":"Johannes","family":"D\u00fcsing","sequence":"first","affiliation":[{"name":"Technical University Dortmund, Dortmund, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9848-2017","authenticated-orcid":false,"given":"Ben","family":"Hermann","sequence":"additional","affiliation":[{"name":"Technical University Dortmund, Dortmund, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2022,2,7]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-019-09792-9"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.scico.2016.01.005"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-014-9325-9"},{"key":"e_1_3_2_5_2","first-page":"344","volume-title":"Proceedings of the 16th International Conference on Mining Software Repositories (MSR\u201919)","author":"Benelallam Amine","year":"2019","unstructured":"Amine Benelallam, Nicolas Harrand, C\u00e9sar Soto-Valero, Benoit Baudry, and Olivier Barais. 2019. The maven dependency graph: A temporal graph-based representation of maven central. In Proceedings of the 16th International Conference on Mining Software Repositories (MSR\u201919). IEEE Press, 344\u2013348. 10.1109\/MSR.2019.00060"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/2.789755"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/3418209"},{"issue":"3","key":"e_1_3_2_8_2","article-title":"Lags in the release, adoption, and propagation of npm vulnerability fixes","volume":"26","author":"Chinthanet Bodin","year":"2021","unstructured":"Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, Takashi Ishio, Akinori Ihara, and Kenichi Matsumoto. 2021. Lags in the release, adoption, and propagation of npm vulnerability fixes. Empir. Softw. Eng. 26, 3 (Mar2021). 10.1007\/s10664-021-09951-x","journal-title":"Empir. Softw. Eng."},{"key":"e_1_3_2_9_2","unstructured":"MITRE Corporation. 2019. CVE and NVD Relationship. Retrieved from https:\/\/cve.mitre.org\/about\/cve_and_nvd_relationship.html."},{"key":"e_1_3_2_10_2","unstructured":"MITRE Corporation. 2021. CVE List Home. Retrieved from https:\/\/cve.mitre.org\/cve\/."},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9589-y"},{"key":"e_1_3_2_13_2","unstructured":"Johannes D\u00fcsing and Ben Hermann. 2021. sse-labs\/dependency-graph-miner: Full release for final paper. 10.5281\/zenodo.5040439"},{"key":"e_1_3_2_14_2","first-page":"559","volume-title":"Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME\u201918)","author":"Zapata Rodrigo Elizalde","year":"2018","unstructured":"Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, Kenichi Matsumoto, and Akinori Ihara. 2018. Towards smoother library migrations: A look at vulnerable dependency migrations at function level for npm JavaScript packages. In Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME\u201918). 559\u2013563. 10.1109\/ICSME.2018.00067"},{"key":"e_1_3_2_15_2","unstructured":"Apache Software Foundation. 2020. Maven\u2014Introduction. Retrieved from https:\/\/maven.apache.org\/what-is-maven.html."},{"key":"e_1_3_2_16_2","first-page":"79","volume-title":"Modeling the Security Ecosystem\u2014The Dynamics of (In)Security","author":"Frei Stefan","year":"2010","unstructured":"Stefan Frei, Dominik Schatzmann, Bernhard Plattner, and Brian Trammell. 2010. Modeling the Security Ecosystem\u2014The Dynamics of (In)Security. 79\u2013106. 10.1007\/978-1-4419-6967-5_6"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-22888-0_13"},{"key":"e_1_3_2_18_2","unstructured":"Hackerone. 2020. Hack the Pentagon. Retrieved from https:\/\/www.hackerone.com\/hack-the-pentagon."},{"key":"e_1_3_2_19_2","doi-asserted-by":"crossref","first-page":"207","DOI":"10.1007\/978-3-642-21347-2_16","article-title":"On the extent and nature of software reuse in open source Java projects","volume":"6727","author":"Heinemann Lars","year":"2011","unstructured":"Lars Heinemann, Florian Deissenboeck, Mario Gleirscher, Benjamin Hummel, and Maximilian Irlbeck. 2011. On the extent and nature of software reuse in open source Java projects. In Proceedings of the Top Productivity Through Software Reuse: 12th International Conference on Software Reuse (ICSR\u201911), vol. 6727, 207\u2013222. 10.1007\/978-3-642-21347-2_16","journal-title":"Proceedings of the Top Productivity Through Software Reuse: 12th International Conference on Software Reuse (ICSR\u201911)"},{"key":"e_1_3_2_20_2","unstructured":"NPM Inc.2020. About NPM. Retrieved from https:\/\/docs.npmjs.com\/about-npm."},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-017-9521-5"},{"key":"e_1_3_2_22_2","unstructured":"Gabriel Lawrence and Chris Frohoff. Marshalling Pickles\u2014How Deserializing Objects Can Ruin Your Day. Retrieved from https:\/\/www.slideshare.net\/frohoff1\/appseccali-2015-marshalling-pickles."},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/52.311048"},{"key":"e_1_3_2_24_2","unstructured":"Snyk Limited. 2020. Snyk - Disclosing vulnerabilities. Retrieved from https:\/\/support.snyk.io\/hc\/en-us\/articles\/360005933037-Snyk-open-source-packages-disclosure-policy."},{"key":"e_1_3_2_25_2","unstructured":"Snyk Limited. 2021. Snyk Intel Vulnerability Database. Retrieved from https:\/\/snyk.io\/product\/vulnerability-database\/."},{"key":"e_1_3_2_26_2","unstructured":"Microsoft. 2019. An Introduction to NuGet. Retrieved from https:\/\/docs.microsoft.com\/en-us\/nuget\/what-is-nuget."},{"key":"e_1_3_2_27_2","unstructured":"Microsoft. 2020. Create .NET Apps Faster with NuGet. Retrieved from https:\/\/www.nuget.org\/."},{"key":"e_1_3_2_28_2","unstructured":"Microsoft. 2020. Microsoft Online Services Bounty Program. Retrieved from https:\/\/www.microsoft.com\/en-us\/msrc\/bounty-microsoft-cloud?rtc=1."},{"key":"e_1_3_2_29_2","unstructured":"MvnRepository. 2021. Central Repository. Retrieved from https:\/\/mvnrepository.com\/repos\/central."},{"key":"e_1_3_2_30_2","unstructured":"MvnRepository. 2021. Jackson Databind. Retrieved from https:\/\/mvnrepository.com\/artifact\/com.fasterxml.jackson.core\/jackson-databind."},{"key":"e_1_3_2_31_2","unstructured":"Oracle. 2015. Understanding Maven Version Numbers. Retrieved from https:\/\/docs.oracle.com\/middleware\/1212\/core\/MAVEN\/maven_version.htm#MAVEN402."},{"key":"e_1_3_2_32_2","unstructured":"OW2. 2021. FASTEN Project. Retrieved from https:\/\/www.fasten-project.eu\/view\/Main\/."},{"key":"e_1_3_2_33_2","volume-title":"Proceedings of the 12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM\u201918)","author":"Pashchenko Ivan","year":"2018","unstructured":"Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2018. Vulnerable open source dependencies: Counting those that matter. In Proceedings of the 12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM\u201918). Association for Computing Machinery, New York, NY, Article 42, 10 pages. 10.1145\/3239235.3268920"},{"key":"e_1_3_2_34_2","first-page":"1","article-title":"Vuln4Real: A methodology for counting actually vulnerable dependencies","author":"Pashchenko I.","year":"2020","unstructured":"I. Pashchenko, H. Plate, S. E. Ponta, A. Sabetta, and F. Massacci. 2020. Vuln4Real: A methodology for counting actually vulnerable dependencies. IEEE Trans. Softw. Eng. 48, 5 (2020), 1. 10.1109\/TSE.2020.3025443","journal-title":"IEEE Trans. Softw. Eng."},{"key":"e_1_3_2_35_2","first-page":"1513","volume-title":"Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201920)","author":"Pashchenko Ivan","year":"2020","unstructured":"Ivan Pashchenko, Duc-Ly Vu, and Fabio Massacci. 2020. A qualitative study of dependency management and its security implications. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS\u201920). Association for Computing Machinery, New York, NY, 1513\u20131531. 10.1145\/3372297.3417232"},{"key":"e_1_3_2_36_2","article-title":"The state of open source security in commercial applications","author":"Pittenger Mike","year":"2016","unstructured":"Mike Pittenger. 2016. The state of open source security in commercial applications. Black Duck Open Source Security Analysis. https:\/\/sq-software.com\/wp-content\/uploads\/2016\/12\/2016-12-OS-Security-Analysis.pdf.","journal-title":"Black Duck Open Source Security Analysis"},{"key":"e_1_3_2_37_2","first-page":"449","volume-title":"Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME\u201918)","author":"Ponta S. E.","year":"2018","unstructured":"S. E. Ponta, H. Plate, and A. Sabetta. 2018. Beyond metadata: Code-centric and usage-based analysis of known vulnerabilities in open-source software. In Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME\u201918). 449\u2013460. 10.1109\/ICSME.2018.00054"},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09830-x"},{"key":"e_1_3_2_39_2","unstructured":"Open Web Application Security Project. 2020. Dependency-Check Maven. Retrieved from https:\/\/jeremylong.github.io\/DependencyCheck\/dependency-check-maven\/index.html."},{"key":"e_1_3_2_40_2","first-page":"25","volume-title":"Proceedings of the 9th International Workshop on Empirical Software Engineering in Practice (IWESEP\u201918)","author":"Ruohonen J.","year":"2018","unstructured":"J. Ruohonen. 2018. An empirical analysis of vulnerabilities in python packages for web applications. In Proceedings of the 9th International Workshop on Empirical Software Engineering in Practice (IWESEP\u201918). 25\u201330. 10.1109\/IWESEP.2018.00013"},{"key":"e_1_3_2_41_2","doi-asserted-by":"publisher","DOI":"10.5555\/2337223.2337314"},{"issue":"3","key":"e_1_3_2_42_2","article-title":"A comprehensive study of bloated dependencies in the Maven ecosystem","volume":"26","author":"Soto-Valero C\u00e9sar","year":"2021","unstructured":"C\u00e9sar Soto-Valero, Nicolas Harrand, Martin Monperrus, and Benoit Baudry. 2021. A comprehensive study of bloated dependencies in the Maven ecosystem. Empir. Softw. Eng. 26, 3 (Mar.2021). 10.1007\/s10664-020-09914-8","journal-title":"Empir. Softw. Eng."},{"key":"e_1_3_2_43_2","unstructured":"Synopsys Inc.2021. Open Source Security and Risk Analysis Report. Retrieved from https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html."},{"key":"e_1_3_2_44_2","unstructured":"NPM Security Team. 2016. Security Holding Package. Retrieved from https:\/\/www.github.com\/npm\/security-holder#readme."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3472811","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3472811","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T20:11:56Z","timestamp":1750191116000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3472811"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,2,7]]},"references-count":43,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2022,12,31]]}},"alternative-id":["10.1145\/3472811"],"URL":"https:\/\/doi.org\/10.1145\/3472811","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,2,7]]},"assertion":[{"value":"2020-11-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-06-24","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-02-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}