Linux Archive

Linux Archive (
-   Debian Java (
-   -   Why it makes sense to package Java libraries (

Thomas Koch 05-02-2012 01:22 PM

Why it makes sense to package Java libraries

there are people that don't understand, why it makes sense to package Java
stuff in Debian. The below study points out how many organizations still
download ancient, vulnerable libraries from Macen central:
or shortened:
found via:


In partnership with Sonatype, researchers from Aspect Security analyzed 113
million downloads from the Central Repository (“Central”) of the 31 most
popular Java frameworks and security libraries [...]. We analyzed [...]
downloads of these libraries from more than 60,000 commercial, government, and
non-profit organizations.

Our analysis revealed several interesting findings, including:

• 29.8 million (26%) of library downloads have known vulnerabilities
• The most downloaded vulnerable libraries were GWT, Xerces, Spring MVC, and
Struts 1.x
• Security libraries are slightly more likely to have a known vulnerability
than frameworks
• Based on typical vulnerability rates, the vast majority of library flaws
remain undiscovered
• Neither presence nor absence of historical vulnerabilities is a useful
security indicator
• Typical Java applications are likely to include at least one vulnerable

The data show that most organizations do not appear to have a strong process
in place for ensuring that the libraries they rely upon are up-to-date and
free from known vulnerabilities. We conclude that there are no shortcuts to a
secure application infrastructure and that the only useful indicator of
library security is a broad and rigorous review that finds minimal

Thomas Koch,

To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

All times are GMT. The time now is 09:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.