This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers' behaviors and practices influence their mitigation. Through analysis of OSS projects, we have identified common issues in outdated or unmaintained dependencies, including pointer dereferences and array bounds violations, that pose significant security risks. We have also examined developer responses to formal verifier reports, noting a tendency to dismiss potential issues as false positives, which can lead to overlooked vulnerabilities. Our results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape. Notably, four vulnerabilities were fixed as a result of this study, demonstrating the effectiveness of our mitigation strategies.

翻译：本研究调查了抽样开源软件（OSS）项目中依赖项的安全漏洞、这些漏洞与项目整体安全性之间的关系，以及开发者的行为与实践如何影响漏洞的缓解。通过对OSS项目的分析，我们识别了过时或未维护依赖项中的常见问题，包括指针解引用和数组边界违规，这些问题构成了重大的安全风险。我们还考察了开发者对形式化验证工具报告的反应，注意到他们倾向于将潜在问题视为误报而予以忽略，这可能导致漏洞被忽视。我们的结果表明，减少直接依赖项的数量，并优先选择具有良好安全记录且成熟的库，是提升软件安全状况的有效策略。值得注意的是，本研究中已有四个漏洞因此得到修复，这证明了我们缓解策略的有效性。