DI-UMONS : Dépôt institutionnel de l’université de Mons

Recherche transversale
(titres de publication, de périodique et noms de colloque inclus)
2019-02-24 - Colloque/Article dans les actes avec comité de lecture - Anglais - 5 page(s)

Zerouali Ahmed , Cosentino Valerio, Mens Tom , Robles Gregorio, Gonzalez-Barahona Jesus, "On the Impact of Outdated and Vulnerable Javascript Packages in Docker Images" in IEEE International Conference on Software Analysis, Evolution, and Reengineering, Hangzhou, Chine, 2019

  • Codes CREF : Informatique appliquée logiciel (DI2570), Informatique générale (DI1162), Analyse de systèmes informatiques (DI2572)
  • Unités de recherche UMONS : Génie Logiciel (S852)
  • Instituts UMONS : Institut de Recherche en Technologies de l’Information et Sciences de l’Informatique (InforTech)
Texte intégral :

Abstract(s) :

(Anglais) Containerized applications, and in particular Docker images, are becoming a common solution in cloud environments to meet ever-increasing demands in terms of portability, reliability and fast deployment. A Docker image includes all environmental dependencies required to run it, such as specific versions of system and third-party packages. Leveraging on its modularity, an image can be easily embedded in other images, thus simplifying the way of sharing dependencies and building new software. However, the dependencies included in an image may be out of date due to backward compatibility requirements, endangering the environments where the image has been deployed with known vulnerabilities. While previous research efforts have focused on studying the impact of bugs and vulnerabilities of system packages within Docker images, no attention has been given to third-party packages. This paper empirically studies the impact of npm JavaScript package vulnerabilities in Docker images. We based our analysis on 961 images from three official repositories that use Node.js, and 1,099 security reports of packages available on npm, the most popular JavaScript package manager. Our results reveal that the presence of outdated npm packages in Docker images increases the risk of potential security vulnerabilities, suggesting that Docker maintainers should keep their installed JavaScript packages up to date.

Identifiants :
  • DOI : 10.1109/SANER.2019.8667984

Mots-clés :
  • (Anglais) technical lag
  • (Anglais) empirical software engineering
  • (Anglais) Docker
  • (Anglais) software evolution
  • (Anglais) security vulnerability