Tracking Security Smell Diffusion Patterns in Ansible Playbooks Using Metadata
摘要
Infrastructure as Code (IaC) platforms lack mechanisms for detecting security smell diffusion, a challenge stemming from the absence of repository relationships. We present a similarity-based methodology combining content and structure metrics to identify repository clones. Validated against Ansible Galaxy repositories that have GitHub fork data, our approach achieved 99.6%–99.8% accuracy to detect forks. Analysis of Ansible Galaxy repositories across three popular technologies revealed 38.4%–54.1% share code overlap, creating vulnerability propagation pathways. Security analysis identified CWE-477 and CWE-546 as most prevalent, with CVE-2017-7550 (CVSS 9.8 - Critical) propagating from a popular repository version with 2.7 million downloads. Fork metadata absence causes users to download repositories with induced security smells at 100 \(\times \) higher rates than platforms with visible fork relationships. A survey of 24 IaC tools confirmed none provide cross-repository comparison capabilities, demonstrating a gap in repository relationship tracking within the IaC supply chain. Our work addresses this gap by providing a systematic approach to detect clones and track security diffusion in environments lacking fork metadata.