Tracing Vulnerabilities in Maven: A Study of CVE lifecycles and Dependency Networks
Corey Yang-Smith, Ahmad Abdellatif
TL;DR
This paper investigates how vulnerabilities propagate through the Maven ecosystem by analyzing CVE lifecycles and how maintainers respond to patches. Using the Goblin Ecosystem's Neo4j-based dependency graph, OSV.dev vulnerability data, and OpenDigger GitHub metrics, the authors study 3,362 CVEs across 1,470 artifacts and 190,945 releases, classifying CVE lifecycles into No-Patch, Patch-Before-Publish, and Publish-Before-Patch categories. Key findings include a dominant Patch-Before-Publish pattern, severity-driven patching speed for publish-before-patch cases, and strong correlations between vulnerability presence and project characteristics such as issue activity and contributor metrics; dependent patch adoption shows a median delay of about 151 days for Available Patch Adoption, with longer delays for Reactive Adoption. The results offer practical insights into vulnerability management in Maven and highlight the need for consistent patch adoption practices, improved collaboration in larger teams, and tooling support to accelerate mitigation across dependency networks.
Abstract
Software ecosystems rely on centralized package registries, such as Maven, to enable code reuse and collaboration. However, the interconnected nature of these ecosystems amplifies the risks posed by security vulnerabilities in direct and transitive dependencies. While numerous studies have examined vulnerabilities in Maven and other ecosystems, there remains a gap in understanding the behavior of vulnerabilities across parent and dependent packages, and the response times of maintainers in addressing vulnerabilities. This study analyzes the lifecycle of 3,362 CVEs in Maven to uncover patterns in vulnerability mitigation and identify factors influencing at-risk packages. We conducted a comprehensive study integrating temporal analyses of CVE lifecycles, correlation analyses of GitHub repository metrics, and assessments of library maintainers' response times to patch vulnerabilities, utilizing a package dependency graph for Maven. A key finding reveals a trend in "Publish-Before-Patch" scenarios: maintainers prioritize patching severe vulnerabilities more quickly after public disclosure, reducing response time by 48.3% from low (151 days) to critical severity (78 days). Additionally, project characteristics, such as contributor absence factor and issue activity, strongly correlate with the presence of CVEs. Leveraging tools such as the Goblin Ecosystem, OSV$.$dev, and OpenDigger, our findings provide insights into the practices and challenges of managing security risks in Maven.