Dependency Network Structure and Security Vulnerabilities in Software Supply Chains
研究了软件依赖网络的复杂性(依赖数量)和紧密耦合(相互依赖)如何影响依赖中存在安全漏洞的可能性,发现复杂性增加风险,而紧密耦合在特定条件下可能降低风险。
Software packages can be susceptible to attack whenever they utilize dependencies containing security vulnerabilities (vulnerable dependencies). We theorize that the likelihood of relying on vulnerable dependencies is heightened by two structural dimensions of dependency networks: complexity (dependency count) and tight coupling (interdependence). Analyzing 40,049 packages, we find that complexity is positively associated with this likelihood and that vertical complexity (depth) plays a more prominent role than horizontal complexity (breadth). However, tight coupling is negatively associated with the likelihood of vulnerable dependencies. Further analyses reveal that this relationship turns positive with greater complexity but becomes more strongly negative as the number of package developers and the average number of developers per dependency increase. Our findings identify key boundary conditions under which tight coupling may be beneficial and offer a nuanced understanding of how dependency network structure influences the security of dependencies and, more broadly, the security of software supply chains.