Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title, in the proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement, 201

Modeling macroalgal forest distribution at Mediterranean scale : present status, drivers of changes and insights for conservation and management

Macroalgal forests are one of the most productive and valuable marine ecosystems, but yet strongly exposed to fragmentation and loss. Detailed large-scale information on their distribution is largely lacking, hindering conservation initiatives. In this study, a systematic effort to combine spatial data on Cystoseira C. Agardh canopies (Fucales, Phaeophyta) was carried out to develop a Habitat Suitability Model (HSM) at Mediterranean scale, providing critical tools to improve site prioritization for their management, restoration and protection. A georeferenced database on the occurrence of 20 Cystoseira species was produced collecting all the available information from published and grey literature, web data portals and co-authors personal data. Data were associated to 55 predictor variable layers in the (ASCII) raster format and were used in order to develop the HSM by means of a Random Forest, a very effective Machine Learning technique. Knowledge about the distribution of Cystoseira canopies was available for about the 14% of the Mediterranean coastline. Absence data were available only for the 2% of the basin. Despite these gaps, our HSM showed high accuracy levels in reproducing Cystoseira distribution so that the first continuous maps of the habitat across the entire basin was produced. Misclassification errors mainly occurred in the eastern and southern part of the basin, where large gaps of knowledge emerged. The most relevant drivers were the geomorphological ones, followed by anthropogenic variables proxies of pollution and urbanization. Our model shows the importance of data sharing to combine a large number of spatial and environmental data, allowing to individuate areas with high probability of Cystoseira occurrence as suitable for its presence. This approach encourages the use of this modeling tool for the prediction of Cystoseira distribution and for supporting and planning conservation and management initiatives. The step forward is to refine the spatial information of presence-absence data about Cystoseira canopies and of environmental predictors in order to address species-specific assessments.peer-reviewe