This study investigates the software vulnerability resolution time in the Maven ecosystem, focusing on the influence of CVE severity, library popularity as measured by the number of dependents, and version release frequency. The results suggest that critical vulnerabilities are addressed slightly faster compared to lower-severity ones. Library popularity shows a positive impact on resolution times, while frequent version updates are associated with faster vulnerability fixes. These statistically significant findings are based on a thorough evaluation of over 14 million versions from 658,078 libraries using the dependency graph database of Goblin framework. These results emphasize the need for proactive maintenance strategies to improve vulnerability management in open-source ecosystems.

翻译：本研究调查了Maven生态系统中的软件漏洞修复时间，重点关注CVE严重性、以依赖库数量衡量的库流行度以及版本发布频率的影响。结果表明，与较低严重性漏洞相比，关键漏洞的修复速度略快。库流行度对修复时间呈现积极影响，而频繁的版本更新则与更快的漏洞修复相关。这些具有统计学显著性的发现基于对Goblin框架依赖图数据库中658,078个库超过1,400万个版本的全面评估。这些结果强调了采取主动维护策略以改进开源生态系统漏洞管理的必要性。