Slashdot Mirror
Report: Aging Java Components To Blame For Massively Buggy Open-Source Software
itwbennett writes: The problem isn't new, but a report released Tuesday by Sonatype, the company that manages one of the largest repositories of open-source Java components, sheds some light on poor inventory practices that are all-too-common in software development. To wit: 'Sonatype has determined that over 6 percent of the download requests from the Central Repository in 2014 were for component versions that included known vulnerabilities and the company's review of over 1,500 applications showed that by the time they were developed and released each of them had an average of 24 severe or critical flaws inherited from their components.'
Why?
Because if you don't test your code, you don't know if changes to it break it.
Changing the components your code is composed of is a big change.
Therefore : people get nervous about changing the components they have used (even changing the version).
What should be happening : when you're planning a new release, raise the component versions to the latest and run your test suite. If it passes, good job, release it.
What is actually happening : the version numbers never get edited, because that version worked, and if you change it, OMG, it might stop working.
I'm betting if you have a large enough pool of open source things, which depend on other open source things, then the bugs in the dependencies will trickle up to the projects which rely on them.
Though, admittedly, Java has also made this more annoying -- a decade or so ago when I was actively working on a Java project, it always amazed me how a new version of Java could completely break everything and then you'd have to re-test and re-certify everything.
It got to the point we put in very large bold characters in our release notes ... we work on this version of Java, if you get clever and introduce your own version of Java, we won't talk to you until you confirm the bug in the version we support.
A surprising number of clients were willing to blaze trail with whatever version of Java came along, and then kept expecting we'd be supporting custom versions from vendors or features which didn't exist when our version was built.
Eventually we learned to dread a new release of Java. Because invariably things went to hell and stopped working.
Lost at C:>. Found at C.
.
Java developers are no different than other developers.
One basic problem seems to be that repositories are providing downloads of known vulnerable components.
Once a bit of software has a known vulnerability, it should *immediately* be deleted from all repositories. Responsible developers will post a fix in a timely manner; hacks will wait weeks/months/years to update, Eventually people will move away from the badly written bits of software - because they aren't available. Problem solved.
This basically defines some of the problems of "enterprisey" software:
- It's composed of a million glued-together libraries.
- It's written by chronically understaffed/overworked IT department employees.
- Rigorous testing either (a) doesn't exist, (b) is so onerous that most developers try to avoid it, or (c) is outsourced/offshored to the lowest bidder, and therefore isn't completed without the staff basically doing the tests for the outsourcer.
- Anything that breaks it is avoided at all costs because of all of the above.
By extension, this is why some companies are stuck running IE 6 for key applications, or Office 97 because rewriting the scary mess of macros that runs a process isn't something anyone wants to do. I do systems integration work, and new versions of Java, web browsers, etc. are miserable. They introduce bugs small enough to be annoyances (rendering problems, etc.) and big enough to break the entire system.
The key to fixing this is for the software architects to require that developers move up to at least a semi-modern release of their key libraries, test everything against them, and remove the old outdated ones once all the bugs are fixed. The problem is that this is never done.
It's about time everyone stops whining. There are things in life you're better safe than sorry, but then there are things in life you just can't change: not every single entity can keep maintaining what they create. Human beings are limited, and so are human organizations - they lack money, workforce or simply the patience to put up with some "critical flaws" that are just too rooted in bad design to be solved without a restructuring.
THAT IS THE REAL FLAW.
There are good ways and bad ways to create reusable components. Black boxing (containing) everything for starters (sans the closed-sourced part) is something people tend to limit the scope to testing and/or to services outside a fully-fledged system's component border. Technologies like SOA are just one of many ways to plug&play every new piece of technology that performs a very specific task in a different way of a previously flawed one. Think project Ara. It's not only fun to develop like this (although some have problem conceptualizing it), but it's also more robust in the long run. Using such paradigms is what we, as the "clients" of such "aging and flawed" components can do push better development of individual components.
Now, each and every component developer has to find ways to keep their work atomic, so as to not conflict with the principles of technologies they are developed to work for. This might all seem like an utopian way of what to expect of the coding community, but then again we are also still looking for the best ways to apply near-perfect political views designed hundreds of years ago, which are yet to achieve full potential. I keep my hopes up for both issues, but my expectations low.
It is important to note the following:
Sonatype has determined that over 6 percent of the download requests from the Central Repository in 2014 were for component versions that included known vulnerabilities.
That means that when building a project the devs are using an older version of a dependency than a newer, fixed version. You don't pull your own artifacts from Sonatype, just dependencies.
Yes this can mean there's a bug that might be exposed to end users, but frequently a dependency is just a dependency used by the developer's code. Sure there could be a transient vulnerability, but I don't think vulnerabilities will be that transparent but that depends upon the nature of the vulnerability and the use of the component in the dev's code.
This is more of a "DLL Hell" situation. Vulnerabilities can be solved in one component, but due to interdependencies it may or may not be possible to use the fixed version. If you're choosing to use an older version of a dependency, well then that's a bad choice. But sometimes those older versions you can just be stuck with due to interdependencies, business direction (only version X has been approved by corp even if Y has critical fixes you may still be stuck with X), etc.
He's saying that Java, because of it's nature, and the type of programmer that uses it, could reasonably be expected to be more rigorously programmed than Javascript, so if there are horrific problems with Java, then the problems with Javascript are like the Elder Gods descending upon the web.
Possibly not so bad at the client side, but all this Node.js stuff that's popular....
Because .NET and C# are better....
Which still has nothing to do with the original topic.
It doesn't matter what language is used. Developers don't upgrade because a PHB doesn't like the risk-benefit ratio.
It should be noted that the company releasing this report, Sonatype, markets a product called Insight Application Health Check that scans your binaries for libraries with known vulnerabilities.
I have never used their service, and can offer no comments on its utility or value. However, it is a bit unseemly that TFA doesn't mention that the source of their information about this very real problem also sells a service that solves it. This is a knock on IT World, not Sonatype.
I've been told in tens of thousands of Slashdot comments(all modded up) that Open Source software is more secure. No wonder this site is dying.
It is not more secure due to magic. It is more secure due to patches and updates. If you do not apply them, you do not get that security. It is like having locks and a car alarm, but leaving your keys on the dash.
If you want software to last more than one season, then rely on old-school "plain jane" HTML for most of your UI with a little JavaScript only where absolutely needed.
Plane-jain HTML is not glamorous or fancy, but it has been supported and will be supported for a good while. If your org wants fancy, it has to pay the Fancy Tax.
If you have to repaint the entire screen for an activity, so be it. If it's a relatively small-user-base app, the overall bandwidth overhead is not really bigger than downloading fat JS libraries. If you code your HTML to mostly rely on CSS, then HTML redraws will be small packets.
Table-ized A.I.
> JavaScript lacks most of the language features needed for writing robust, reliable software at a large scale.
There is no reason that it should not be possible to write huge enterprise applications in JavaScript. (or assembly language).
It's just that it becomes a huge unmaintainable mess.
The reason for higher and higher level languages, including type checking, is to make the compiler to more and more of the bookkeeping of writing software. You could do it in assembly language if you were willing to do enough bookkeeping.
What JavaScript (and similar dynamic languages) bring is that you can write smaller projects very quickly. See Ruby on Rails for example. But then Twitter started with Ruby, and in 2012 switched to Java for scalability. They said that Ruby was the right language when they started.
I'll see your senator, and I'll raise you two judges.
This is a problem that Maven has created, mostly.
What the summary doesn't mention is that "large repository of open source software" is a Maven repository. Maven allows you to specify dependencies for your Java project.
The problem is that you have to specify a specific version of whatever you use. So let's say you use OpenFoo 1.1 and that at the time you write your code, the latest version of OpenFoo is 1.1.3.
Now assume a horrible vulnerability is discovered in OpenFoo 1.1.3, so they release OpenFoo 1.1.4 to fix it. Well, your Maven POM says you require OpenFoo 1.1.3, so until you go in and manually change that, you will only ever use 1.1.3. There is - by design - no way to say "I want the latest 1.1 version." You can only describe a single, specific version.
So it's no surprise that Sonatype will see a ton of old Maven projects continuing to download outdated Maven artifacts. There's no way to say "I want the latest version of a specific branch" you can only specify a single version. Which means that a project that hasn't changed in years will still pull in the old versions of the libraries, even if it would work with the later versions.
You are in a maze of twisty little relative jumps, all alike.
It's not FUD. It's clickbait. It will make up for the revenue shortfall from SourceForge.
I'll see your senator, and I'll raise you two judges.
I am not going to argue that having better automated test is not a good thing. It is a good thing.
The problem is more about how these third party components are maintained. The majority of third party components I have worked with, upgrading to a newer version of the component meant rewriting large sections of code just to get the project to compile. The interface to the component changed. The tests would cover the happy paths and some bad paths, but a lot of manual testing and mitigation of new bugs would need to still be done. This doesn't even cover if the newer version of the component will even work for what you used it for. Yes, sometimes newer versions of components remove features, or change a feature you relied on in such a way that it is no longer usable.
You say don't use components from third parties that keep making these breaking changes? Guess what, that means using no third party components because basically everyone makes these same mistakes. The problem is usually worse with commercial components. Sometimes the wheel is so complex that you just can't re-invent it, but you never know when the third party is going change their axle size, or wheel diameter.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
FOSS is much more prone to borking backwards compatibility than COTS.
Do you have any backup for this statement?
The only possible thing I can think of is that COTS can potentially have greater control over a closed ecosystem. But even COTS today often relies on various third-party libraries.
He's saying that if a better language (Java) has all these problems with API version control then how does a worse language (Javascript) have any hope of doing a better job avoiding .lib hell
The problem isn't unique to Java -- this tends to happen in C the least while Java the most from what I've noticed. When you rely on ANY third party library you are eventually going to run into this problem where the API changes. Now multiply that by each external library you are using. Some days we spend more "busy-work" just updating the codebase to work with the external libs then doing any actual real work. :-(
There is no easy solution to when the architecture changes. :-/
April 2013: "Sonatype's annual survey of 3,500 software developers and shows struggle in setting corporate policy on open source and enforcing it" ref
April 2013: "Control and security of corporate open source projects proves difficult | New Sonatype survey finds 80 percent of most Java applications comes from open source" ref
Nov 2014: "Software developers use a large number of open-source components, often oblivious to the security risks they introduce or the vulnerabilities that are later discovered in them." ref
April 2015: "open-source also represents a vast, unpatched quagmire of cyber-risk that’s putting public safety at grave risk. That’s the assessment of Joshua Corman, CTO at Sonatype" ref
It's better in that just because a component has a vuln doesn't mean that vuln is exploitable in all situations. Unfortunately, people are TERRIBLE at determining if a vulnerability is potentially exploitable or not.
It's worse in that the data in the NVD is often wrong and has lots of missing versions. For example, CVE-2013-5960 says "The ... in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.1 " and it lists the affected versions only as 2.0.1. The description is wrong (the issue was fixed in 2.1.0) and the list of versions is incomplete as there are more versions that are affected. Another example, CVE-2014-3604 says "Certificates.java in Not Yet Commons SSL before 0.3.15 ..." and then lists the affected versions as 0.3.15 - which is the version it was fixed in and it doesn't list the versions that were actually affected.
You expect people to remain on-topic? You have been a member longer than I have. (I may have read longer, that is irrelevant.) You should know better than that.
"So long and thanks for all the fish."
Are you a werecow? Moo moo moo... I'm a werecow.
The Doctor is in!
"So long and thanks for all the fish."
How about this: You and me both get started on an application to store, monitor and analyize 25hz data from every Phasor device in an entire, very populous country of Asia. I'll use my wealth of common components and frameworks, you go ahead and roll it yourself out of whatever the fuck you use. We'll meet back in a year, and let's see which one is more complete, bug-free and secure. Deal?
Sounds like a fun idea. I am game. You go with Java (an excellent choice for this) and I will go with C++. Should we begin today? You have experience in the field so you have an advantage. I accept that challenge.
"So long and thanks for all the fish."
Who insinuated this?
Oh, nobody. It is easy to rant about things that are only in your head. Unfortunately, for the rest of us, your rant made it past the submit button which means we are subjected to your mindless inanities. Seriously, how did you manage to reach that conclusion?
"So long and thanks for all the fish."
and this why you use the latest and greatest and update your interface to updating dependencies. It has nothing to do with FOSS.
Why not replace the download with an error message stating that you need to upgrade to version whatever.
Since they already know which versions of what have critical security flaws.
Too obvious?
Not as good for the bottom line as selling a library flagging tool?
Where are we going and why are we in a handbasket?
Intelligent people don't focus on the minor problem until the major problems have been dealt with sufficiently.
"Sorry, I'm not going to triage your arterial bleeding. Why should I? Nothing matters compared to a cure for cancer."