Slashdot Mirror
Report: Aging Java Components To Blame For Massively Buggy Open-Source Software
itwbennett writes: The problem isn't new, but a report released Tuesday by Sonatype, the company that manages one of the largest repositories of open-source Java components, sheds some light on poor inventory practices that are all-too-common in software development. To wit: 'Sonatype has determined that over 6 percent of the download requests from the Central Repository in 2014 were for component versions that included known vulnerabilities and the company's review of over 1,500 applications showed that by the time they were developed and released each of them had an average of 24 severe or critical flaws inherited from their components.'
Why?
Because if you don't test your code, you don't know if changes to it break it.
Changing the components your code is composed of is a big change.
Therefore : people get nervous about changing the components they have used (even changing the version).
What should be happening : when you're planning a new release, raise the component versions to the latest and run your test suite. If it passes, good job, release it.
What is actually happening : the version numbers never get edited, because that version worked, and if you change it, OMG, it might stop working.
I'm betting if you have a large enough pool of open source things, which depend on other open source things, then the bugs in the dependencies will trickle up to the projects which rely on them.
Though, admittedly, Java has also made this more annoying -- a decade or so ago when I was actively working on a Java project, it always amazed me how a new version of Java could completely break everything and then you'd have to re-test and re-certify everything.
It got to the point we put in very large bold characters in our release notes ... we work on this version of Java, if you get clever and introduce your own version of Java, we won't talk to you until you confirm the bug in the version we support.
A surprising number of clients were willing to blaze trail with whatever version of Java came along, and then kept expecting we'd be supporting custom versions from vendors or features which didn't exist when our version was built.
Eventually we learned to dread a new release of Java. Because invariably things went to hell and stopped working.
Lost at C:>. Found at C.
.
Java developers are no different than other developers.
That's the real reason there are problems: Most software isn't so much written as blindly copied; most programmers have no idea what they're doing, and this is particularly true of the Big IDE users at which Java has always been targeted.
It's accepted in industry that JavaScript is an inferior language compared to Java. Popular only for its ubiquity in web browsers, JavaScript lacks most of the language features needed for writing robust, reliable software at a large scale.
Java does offer far more of the features needed for large-scale software development, while also attaining a reasonable level of quality. Java has a working type system, while JavaScript does not. Java supports real modularity, while JavaScript only supports hacks. Java supports classes, while JavaScript only supports crippled and near-useless prototypes. The list goes on and on.
Additionally, Java is typically used by trained professionals who have at least some formal education under their belt. JavaScript, on the other hand, is a language embraced by beginners who have no experience.
So if we're having problems with software developed using Java, and Java is better suited to software development than JavaScript is, then this means that the problems we're having with JavaScript are astronomically bigger than what we're experiencing with Java.
While we need to address these concerns involving Java, obviously, we can't neglect to focus on the major problems that JavaScript is causing, as well.
This is nothing more than fearmongering FUD. Many eyes garuntees such bugs are impossible.
Go back to your caves Microsoft shills!
They mean you. Get off the web!
One basic problem seems to be that repositories are providing downloads of known vulnerable components.
Once a bit of software has a known vulnerability, it should *immediately* be deleted from all repositories. Responsible developers will post a fix in a timely manner; hacks will wait weeks/months/years to update, Eventually people will move away from the badly written bits of software - because they aren't available. Problem solved.
This basically defines some of the problems of "enterprisey" software:
- It's composed of a million glued-together libraries.
- It's written by chronically understaffed/overworked IT department employees.
- Rigorous testing either (a) doesn't exist, (b) is so onerous that most developers try to avoid it, or (c) is outsourced/offshored to the lowest bidder, and therefore isn't completed without the staff basically doing the tests for the outsourcer.
- Anything that breaks it is avoided at all costs because of all of the above.
By extension, this is why some companies are stuck running IE 6 for key applications, or Office 97 because rewriting the scary mess of macros that runs a process isn't something anyone wants to do. I do systems integration work, and new versions of Java, web browsers, etc. are miserable. They introduce bugs small enough to be annoyances (rendering problems, etc.) and big enough to break the entire system.
The key to fixing this is for the software architects to require that developers move up to at least a semi-modern release of their key libraries, test everything against them, and remove the old outdated ones once all the bugs are fixed. The problem is that this is never done.
I'm sorry, but please stop using Java if you need third-party libraries, because those third party libraries are rarely updated precisely because of this. If you fix a bug in a third party library and drop it in, there goes all the security signatures and crap.
If you need third party libraries. Develop in C.
If you need third party libraries to never change, statically compile them (except GPL licensed software, don't use LGPL/GPL software if you intend to never open source your software.)
Java software should rely on only the JRE, because otherwise it's inherently non-portable (eg 32bit and 64bit runtimes, much less Operating systems.)
The most irritating part of developing on Linux is all the "dll hell", where as on Windows, the DLL hell is fixed by just installing hunderds of versions of the otherwise same library and never relying on the system library.
And this is the problem with all software development. You can not rely on the system libraries to continue to work for any period of time. But if you ship your own libraries, you can't ever replace them.
If only there was a way to actually have software dynamically link to the "most recent version that will work."
eg have the runtime interrogate the system library and other installed libraries for the functions and return types to make sure that the library hasn't changed (or has been replaced with "cracked/compromised" versions.)
On Windows (see many "plugin" systems) software can be version independent as long as the API doesn't change or deprecate anything (see OpenGL) without breaking forward compatibility.
It's about time everyone stops whining. There are things in life you're better safe than sorry, but then there are things in life you just can't change: not every single entity can keep maintaining what they create. Human beings are limited, and so are human organizations - they lack money, workforce or simply the patience to put up with some "critical flaws" that are just too rooted in bad design to be solved without a restructuring.
THAT IS THE REAL FLAW.
There are good ways and bad ways to create reusable components. Black boxing (containing) everything for starters (sans the closed-sourced part) is something people tend to limit the scope to testing and/or to services outside a fully-fledged system's component border. Technologies like SOA are just one of many ways to plug&play every new piece of technology that performs a very specific task in a different way of a previously flawed one. Think project Ara. It's not only fun to develop like this (although some have problem conceptualizing it), but it's also more robust in the long run. Using such paradigms is what we, as the "clients" of such "aging and flawed" components can do push better development of individual components.
Now, each and every component developer has to find ways to keep their work atomic, so as to not conflict with the principles of technologies they are developed to work for. This might all seem like an utopian way of what to expect of the coding community, but then again we are also still looking for the best ways to apply near-perfect political views designed hundreds of years ago, which are yet to achieve full potential. I keep my hopes up for both issues, but my expectations low.
They are 'features', installed by you-know-who, NSA, CIA, DEA, FBI....
It is important to note the following:
Sonatype has determined that over 6 percent of the download requests from the Central Repository in 2014 were for component versions that included known vulnerabilities.
That means that when building a project the devs are using an older version of a dependency than a newer, fixed version. You don't pull your own artifacts from Sonatype, just dependencies.
Yes this can mean there's a bug that might be exposed to end users, but frequently a dependency is just a dependency used by the developer's code. Sure there could be a transient vulnerability, but I don't think vulnerabilities will be that transparent but that depends upon the nature of the vulnerability and the use of the component in the dev's code.
This is more of a "DLL Hell" situation. Vulnerabilities can be solved in one component, but due to interdependencies it may or may not be possible to use the fixed version. If you're choosing to use an older version of a dependency, well then that's a bad choice. But sometimes those older versions you can just be stuck with due to interdependencies, business direction (only version X has been approved by corp even if Y has critical fixes you may still be stuck with X), etc.
I've been told in tens of thousands of Slashdot comments(all modded up) that Open Source software is more secure. No wonder this site is dying.
Because .NET and C# are better....
It doesn't matter what language is used. Developers don't upgrade because a PHB doesn't like the risk-benefit ratio.
It should be noted that the company releasing this report, Sonatype, markets a product called Insight Application Health Check that scans your binaries for libraries with known vulnerabilities.
I have never used their service, and can offer no comments on its utility or value. However, it is a bit unseemly that TFA doesn't mention that the source of their information about this very real problem also sells a service that solves it. This is a knock on IT World, not Sonatype.
.NET to blame for buggy desktop software. Shocker.
If you want software to last more than one season, then rely on old-school "plain jane" HTML for most of your UI with a little JavaScript only where absolutely needed.
Plane-jain HTML is not glamorous or fancy, but it has been supported and will be supported for a good while. If your org wants fancy, it has to pay the Fancy Tax.
If you have to repaint the entire screen for an activity, so be it. If it's a relatively small-user-base app, the overall bandwidth overhead is not really bigger than downloading fat JS libraries. If you code your HTML to mostly rely on CSS, then HTML redraws will be small packets.
Table-ized A.I.
java is the only language in which code rot occurs..
What sort of shit ass submission is this?
FOSS is much more prone to borking backwards compatibility than COTS. The best run FOSS will deprecate in release X+1 then delete in X+2, but at the end of the day you're still forced to change your application code so that the FOSS maintenance team can keep themselves pure and no amount of unit or functional testing is going to prevent that.
Plenty of application development teams make rational decisions not to install FOSS security fixes when the FOSS team has chosen to bundle those fixes with incompatibilities.
That I am aware of. I know, Oracle is not doing much to help this problem. In the non-Java, non-PHP side ecosystems, some companies pipe money into open source projects and lead their direction so developers deal with less problems like this. They do happen, just not nearly as often.
At least it doesn't try to shove the Ask toolbar down your throat.
Because .NET and C# are better....
Having stepped into the Java world after having done both C++ and C# for many years, there are quite a number of things about both that are better than Java.
This is a problem that Maven has created, mostly.
What the summary doesn't mention is that "large repository of open source software" is a Maven repository. Maven allows you to specify dependencies for your Java project.
The problem is that you have to specify a specific version of whatever you use. So let's say you use OpenFoo 1.1 and that at the time you write your code, the latest version of OpenFoo is 1.1.3.
Now assume a horrible vulnerability is discovered in OpenFoo 1.1.3, so they release OpenFoo 1.1.4 to fix it. Well, your Maven POM says you require OpenFoo 1.1.3, so until you go in and manually change that, you will only ever use 1.1.3. There is - by design - no way to say "I want the latest 1.1 version." You can only describe a single, specific version.
So it's no surprise that Sonatype will see a ton of old Maven projects continuing to download outdated Maven artifacts. There's no way to say "I want the latest version of a specific branch" you can only specify a single version. Which means that a project that hasn't changed in years will still pull in the old versions of the libraries, even if it would work with the later versions.
You are in a maze of twisty little relative jumps, all alike.
I am not going to argue that having better automated test is not a good thing. It is a good thing.
The problem is more about how these third party components are maintained. The majority of third party components I have worked with, upgrading to a newer version of the component meant rewriting large sections of code just to get the project to compile. The interface to the component changed. The tests would cover the happy paths and some bad paths, but a lot of manual testing and mitigation of new bugs would need to still be done. This doesn't even cover if the newer version of the component will even work for what you used it for. Yes, sometimes newer versions of components remove features, or change a feature you relied on in such a way that it is no longer usable.
You say don't use components from third parties that keep making these breaking changes? Guess what, that means using no third party components because basically everyone makes these same mistakes. The problem is usually worse with commercial components. Sometimes the wheel is so complex that you just can't re-invent it, but you never know when the third party is going change their axle size, or wheel diameter.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
'OMG screwdrivers suck! I tried to hammer in this nail with one and it didn't work!'. Christ you're an idiot. I don't come down to where you work and slap the whatever it is you use out of your mouth do I? You know why? Because every job has a right tool, and the minute you think all jobs are alike or any tool is a panacea you expose yourself as a shit engineer.
And what job did you use Java for to make this highly educated declaration? Let me guess - you think 'Java' means the web plugin that nobody has used in 10 years and you made a shitty applet?
There are jobs (real ones, that matter) where Java is absolutely clutch. If you ever saw the sheer magnitude of what is required to build enterprise systems for coordinating the scheduling / generation / distribution / remuneration for a 10 state region of the US power grid you would shit your little boy pants. Now imagine you need to deliver the common core of that same system to 5 more multi-state regions. Now imagine you need to sell it in Europe, Asia and the Middle East, each time adapting it to new operating protocols, languages, ergonomics. Ever done that? No? Then shut the fuck up.
Funny thing? We have EXTREMELY meticulous security audits, static code analysis, penetration testing, etc. You know where all the SEVERE issues are found? Surprise - in the C applications. Why? No not because C 'sucks', but because there is literally no way to write bad Java code that causes a buffer overrun and allows arbitrary malicious code execution. If ever there is, this is a JVM flaw not a code flaw and is promptly fixed. Once. For everybody.
I can tell you what these 'vulnerabilities' in TFA are - I see them all the time in static code analysis. They are things like 'log forging', potential (usually spurious) null references, SQL injections, etc. These problems exist in any language. The fact that they can be picked up by SCA and put in a report like this is actually a good thing (oh and 24 of them ain't shit if you are including all severity levels). And they are easily addressed by staying on top of your dependency stack.
How about this: You and me both get started on an application to store, monitor and analyize 25hz data from every Phasor device in an entire, very populous country of Asia. I'll use my wealth of common components and frameworks, you go ahead and roll it yourself out of whatever the fuck you use. We'll meet back in a year, and let's see which one is more complete, bug-free and secure. Deal?
.NET, C# and Microsoft in general are usually very good about backwards compatibility. Some notable exceptions are VB.NET and Vista.
Seriously, this is one of the big problems with the Java ecosystem. Java releases that encourage applications to version check (because of feature instability and repeated backwards compatibility problems). Then applications that do that, and thus often get stuck in the past.
Everyone involved in this needs to get a slap. You do not chain an app to a library/environment/JVM unless absolutely necessary. And preemptive environment checking "just in case" of compatibility problems deserves a double slap. Yeah, I know there are times when this stuff seems necessary. Whenever that happens, maybe give your dependency design a re-think. Unless you enjoy being the problem child of software providers?
April 2013: "Sonatype's annual survey of 3,500 software developers and shows struggle in setting corporate policy on open source and enforcing it" ref
April 2013: "Control and security of corporate open source projects proves difficult | New Sonatype survey finds 80 percent of most Java applications comes from open source" ref
Nov 2014: "Software developers use a large number of open-source components, often oblivious to the security risks they introduce or the vulnerabilities that are later discovered in them." ref
April 2015: "open-source also represents a vast, unpatched quagmire of cyber-risk that’s putting public safety at grave risk. That’s the assessment of Joshua Corman, CTO at Sonatype" ref
It's better in that just because a component has a vuln doesn't mean that vuln is exploitable in all situations. Unfortunately, people are TERRIBLE at determining if a vulnerability is potentially exploitable or not.
It's worse in that the data in the NVD is often wrong and has lots of missing versions. For example, CVE-2013-5960 says "The ... in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.1 " and it lists the affected versions only as 2.0.1. The description is wrong (the issue was fixed in 2.1.0) and the list of versions is incomplete as there are more versions that are affected. Another example, CVE-2014-3604 says "Certificates.java in Not Yet Commons SSL before 0.3.15 ..." and then lists the affected versions as 0.3.15 - which is the version it was fixed in and it doesn't list the versions that were actually affected.
How about this: You and me both get started on an application to store, monitor and analyize 25hz data from every Phasor device in an entire, very populous country of Asia. I'll use my wealth of common components and frameworks, you go ahead and roll it yourself out of whatever the fuck you use. We'll meet back in a year, and let's see which one is more complete, bug-free and secure. Deal?
Sounds like a fun idea. I am game. You go with Java (an excellent choice for this) and I will go with C++. Should we begin today? You have experience in the field so you have an advantage. I accept that challenge.
"So long and thanks for all the fish."
kl çadr
and this why you use the latest and greatest and update your interface to updating dependencies. It has nothing to do with FOSS.
Why not replace the download with an error message stating that you need to upgrade to version whatever.
Since they already know which versions of what have critical security flaws.
Too obvious?
Not as good for the bottom line as selling a library flagging tool?
Where are we going and why are we in a handbasket?