Frequent software releases are expected to address security and compatibility issues, but may result in security breakages in return while increasing maintenance cost and system complexity. We conduct an empirical study on the ecosystem-wide evolution of the Maven Central Dependency Graph and the maintenance status of its artifacts, with the ultimate goal of educating the developer community about the evolution and maintenance levels within the Maven Central ecosystem. We examine the growth patterns of library releases over time, focusing on frequency, rhythm, and speed, to understand the influence of project management methodologies such as Agile, security vulnerabilities, and open-source contributions on the evolution of the Maven Central ecosystem. Similarly, we also measure the maintenance level of artifacts in the ecosystem based on various factors such as popularity, missed releases, and whether vulnerabilities have been addressed or not. Rapid growth between 2004 and 2005 aligned with emergence with agile methodologies, followed by a gradual increase up to 2021, after which it started plateauing or stabilizing, which may be attributed to the emergence of new technologies such as AI. In contrast, the growth of vulnerabilities across all severity types experienced a rapid decline after 2021, possibly indicating an increased emphasis on security and improved library maintenance within the community. We found that only 5.21% of all libraries are fully maintained. The study suggests the need for further in-depth research on the most prevalent vulnerabilities in the Maven Central ecosystem, and a well-validated metric system for assessment of combined vulnerability and maintenance level in the Maven Central Dependency Graph.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

An Empirical Study on the Evolution and Vulnerabilities of Maven Artifacts

  • Nirajan Bhattarai,
  • Riley Stratton,
  • Minhaz Zibran

摘要

Frequent software releases are expected to address security and compatibility issues, but may result in security breakages in return while increasing maintenance cost and system complexity. We conduct an empirical study on the ecosystem-wide evolution of the Maven Central Dependency Graph and the maintenance status of its artifacts, with the ultimate goal of educating the developer community about the evolution and maintenance levels within the Maven Central ecosystem. We examine the growth patterns of library releases over time, focusing on frequency, rhythm, and speed, to understand the influence of project management methodologies such as Agile, security vulnerabilities, and open-source contributions on the evolution of the Maven Central ecosystem. Similarly, we also measure the maintenance level of artifacts in the ecosystem based on various factors such as popularity, missed releases, and whether vulnerabilities have been addressed or not. Rapid growth between 2004 and 2005 aligned with emergence with agile methodologies, followed by a gradual increase up to 2021, after which it started plateauing or stabilizing, which may be attributed to the emergence of new technologies such as AI. In contrast, the growth of vulnerabilities across all severity types experienced a rapid decline after 2021, possibly indicating an increased emphasis on security and improved library maintenance within the community. We found that only 5.21% of all libraries are fully maintained. The study suggests the need for further in-depth research on the most prevalent vulnerabilities in the Maven Central ecosystem, and a well-validated metric system for assessment of combined vulnerability and maintenance level in the Maven Central Dependency Graph.