As a new GitHub report reveals, developers often need years to address some of the vulnerabilities introduced in their software.
Based on the analysis of more than 45,000 active repositories, the report shows that it typically takes 7 years for vulnerabilities in Ruby to be addressed, whereas those in npm are usually patched in five years. This is because they are often left undetected or unnoticed.
The Microsoft-owned platform explains that repositories taken into consideration for the report use one of six supported package ecosystems (Composer, Maven, npm, NuGet, PyPI, or RubyGems) and have dependency graph enabled.
Open source dependencies are most often used in JavaScript (94 percent), Ruby (90 percent), and .NET (90 percent), according to the report. Ruby (81 percent) and JavaScript (73 percent) repositories have had the highest chance of receiving a security alert from GitHub’s Dependabot over the past 12 months.
Security vulnerabilities often go undetected before being disclosed for more than four years. The package maintainer and security community typically create and release a fix in just over four weeks once they are identified,” GitHub notes.
The software hosting platform also notes that coding errors are the result of most of the vulnerabilities identified in software, and do not represent malicious attacks. The analysis of 521 advisories, however, revealed that 17% of the advisories were linked to malicious behaviour.
Security vulnerabilities, any code referenced and bundled to make a software package work, can impact software directly or through its dependencies. That is, code can be vulnerable either because it contains vulnerabilities, or because the report reads that it relies on dependencies containing vulnerabilities.
JavaScript was found to have the highest number of median dependencies when direct dependencies are taken into consideration, at ten, with Ruby and PHP next in line at nine, Java at eight, and .NET and Python at six.
The report also notes that CVE-2020-8203 (Prototype Pollution in lodash, one of the most commonly used npm packages) is the vulnerability that could be considered the most impactful bug of the year as it triggered more than five million alerts from Dependabot.
