Out of Sight, Still at Risk: The Lifecycle of Transitive Vulnerabilities in Maven

April 07, 2025 Β· Declared Dead Β· πŸ› IEEE Working Conference on Mining Software Repositories

πŸ‘» CAUSE OF DEATH: Ghosted
No code link whatsoever

"No code URL or promise found in abstract"

Evidence collected by the PWNC Scanner

Authors Piotr Przymus, MikoΕ‚aj Fejzer, Jakub NarΔ™bski, Krzysztof Rykaczewski, Krzysztof Stencel arXiv ID 2504.04803 Category cs.SE: Software Engineering Cross-listed cs.CR Citations 2 Venue IEEE Working Conference on Mining Software Repositories Last Checked 4 months ago
Abstract
The modern software development landscape heavily relies on transitive dependencies. They enable seamless integration of third-party libraries. However, they also introduce security challenges. Transitive vulnerabilities that arise from indirect dependencies expose projects to risks associated with Common Vulnerabilities and Exposures (CVEs). It happens even when direct dependencies remain secure. This paper examines the lifecycle of transitive vulnerabilities in the Maven ecosystem. We employ survival analysis to measure the time projects remain exposed after a CVE is introduced. Using a large dataset of Maven projects, we identify factors that influence the resolution of these vulnerabilities. Our findings offer practical advice on improving dependency management.
Community shame:
Not yet rated
Community Contributions

Found the code? Know the venue? Think something is wrong? Let us know!

πŸ“œ Similar Papers

In the same crypt β€” Software Engineering

Died the same way β€” πŸ‘» Ghosted