TY - JOUR
AU1 - Rahman, Imranur
AU2 - Paramitha, Ranidya
AU3 - Plate, Henrik
AU4 - Wermke, Dominik
AU5 - Williams, Laurie
AB - Abstract:Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is using security-sensitive APIs, i.e., the APIs that provide access to security-sensitive resources in a system, e.g., the filesystem or network resources. However, the lack of tools or research providing visibility into potential sensitive resource usage of dependencies makes it hard for developers to use this as a factor in their dependency selection process. The goal of this study is to aid developers in assessing the security risks of their dependencies by identifying security-sensitive APIs in packages through call graph analysis. In this study, we present a novel methodology to construct a security-sensitive API list for an ecosystem to better understand and assess packages before selecting them as a dependency. We implement the methodology in Java. We then compare the prevalence of security-sensitive APIs in functionally similar package groups to understand how different functionally similar packages could be in terms of security-sensitive APIs. We also conducted a developer survey (with 110 respondents) to understand developers' perceptions towards using security-sensitive API information in the dependency selection process. More than half of the developers would use security-sensitive API information in the dependency selection process if available. Finally, we advocate for incorporating security-sensitive API information into dependency management tools for easier access to the developers in the dependency selection process.
TI - What's in a Package? Getting Visibility Into Dependencies Using Security-Sensitive API Calls
JF - Computing Research Repository
DO - 10.48550/arxiv.2408.02846
DA - 2025-03-18
UR - https://www.deepdyve.com/lp/arxiv-cornell-university/what-s-in-a-package-getting-visibility-into-dependencies-using-YlWWdyh6oE
VL - 2025
IS - 2408
DP - DeepDyve
ER -