[en] GitHub’s integrated automated workflow mechanism called GitHub Actions promotes the use of Actions as reusable building blocks in workflows. The majority of those Actions are developed in JavaScript and depend on packages distributed through the npm package manager. Those packages can suffer from security vulnerabilities, potentially affecting the Actions that rely on them. Using a dataset of 8,107 JavaScript Actions, we analysed to which extent dependencies on npm packages expose these Actions to vulnerabilities. We observed that JavaScript Actions tend to rely on dozens of npm packages, and that the vast majority of them depend on npm package releases with known vulnerabilities. Most of these vulnerabilities are caused by indirect dependencies, making it difficult for Actions maintainers to analyse their exposure to security vulnerabilities. Moreover, indirect dependencies are more likely to suffer from vulnerabilities of higher severity. We also studied to which extent security weaknesses occur in the source code of JavaScript Actions. To do so, we used CodeQL to detect security weaknesses, revealing that more than 54% of the studied JavaScript Actions contain at least one security weakness, and a small subset of these weaknesses recur frequently in their code. This justifies the need for further studies and more advanced tool support for addressing security issues in the GitHub Actions ecosystem.
Disciplines :
Computer science
DOI :
10.1145/3643991.3644899
Author, co-author :
Onsori delicheh, Hassan ; Université de Mons - UMONS > Faculté des Science > Service de Génie Logiciel
Decan, Alexandre ; Université de Mons - UMONS > Faculté des Sciences > Service de Génie Logiciel
Mens, Tom ; Université de Mons - UMONS > Faculté des Sciences > Service de Génie Logiciel
Language :
English
Title :
Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows
Publication date :
15 April 2024
Event name :
21st International Conference on Mining Software Repositories
Event organizer :
ACM
Event place :
Lisbon, Portugal
Event date :
15-16 April, 2024
Audience :
International
Main work title :
21st International Conference on Mining Software Repositories (MSR '24)
Publisher :
ACM
ISBN/EAN :
979-8-4007-0587-8
Peer reviewed :
Peer reviewed
Research unit :
S852 - Génie Logiciel
Research institute :
R300 - Institut de Recherche en Technologies de l'Information et Sciences de l'Informatique
Funders :
F.R.S.-FNRS - Fonds de la Recherche Scientifique
Funding number :
T.0149.22; F.4515.23; J.0147.24
Funding text :
This research is supported by the Fonds de la Recherche Scientifique - FNRS under grant numbers T.0149.22, F.4515.23 and J.0147.24.