Out of Sight, Still at Risk: The Lifecycle of Transitive Vulnerabilities in Maven
Piotr Przymus, Mikołaj Fejzer, Jakub Narębski, Krzysztof Rykaczewski, Krzysztof Stencel
TL;DR
This paper probes how transitive dependencies govern CVE persistence in the Maven ecosystem by applying Kaplan-Meier survival analysis to a large, graph-augmented dataset. It demonstrates that deeper dependency levels substantially extend vulnerability exposure, with linear regressions showing strong predictive power for mean and median fix times as a function of dependency level. The authors propose a graph-based model and outline practical guidance for dependency management to mitigate risk. The work offers a framework for measuring and reasoning about transitive vulnerability lifecycles, with potential impact on secure dependency practices and tool support in software ecosystems.
Abstract
The modern software development landscape heavily relies on transitive dependencies. They enable seamless integration of third-party libraries. However, they also introduce security challenges. Transitive vulnerabilities that arise from indirect dependencies expose projects to risks associated with Common Vulnerabilities and Exposures (CVEs). It happens even when direct dependencies remain secure. This paper examines the lifecycle of transitive vulnerabilities in the Maven ecosystem. We employ survival analysis to measure the time projects remain exposed after a CVE is introduced. Using a large dataset of Maven projects, we identify factors that influence the resolution of these vulnerabilities. Our findings offer practical advice on improving dependency management.