[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Why it makes sense to package Java libraries


there are people that don't understand, why it makes sense to package Java 
stuff in Debian. The below study points out how many organizations still 
download ancient, vulnerable libraries from Macen central:

or shortened: http://bit.ly/GX4jGi
found via: 


In partnership with Sonatype, researchers from Aspect Security analyzed 113 
million downloads from the Central Repository (“Central”) of the 31 most 
popular Java frameworks and security libraries [...]. We analyzed [...] 
downloads of these libraries from more than 60,000 commercial, government, and 
non-profit organizations.

Our analysis revealed several interesting findings, including:
•  29.8 million (26%) of library downloads have known vulnerabilities
•  The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and 
Struts 1.x
•  Security libraries are slightly more likely to have a known vulnerability 
than frameworks
•  Based on typical vulnerability rates, the vast majority of library flaws 
remain undiscovered
•  Neither presence nor absence of historical vulnerabilities is a useful 
security indicator
•  Typical Java applications are likely to include at least one vulnerable 

The data show that most organizations do not appear to have a strong process 
in place for ensuring that the libraries they rely upon are up-to-date and 
free from known vulnerabilities. We conclude that there are no shortcuts to a 
secure application infrastructure and that the only useful indicator of 
library security is a broad and rigorous review that finds minimal 

Thomas Koch, http://www.koch.ro

Reply to: