Although using third-party libraries is common practice when writing software, vulnerabilities may be found even in well-known libraries. Detected vulnerabilities are often fixed quickly in the library code. The easiest way to include these fixes in a dependent software application, is to update the used library version. Package managers provide automated solutions for updating library dependencies. However, library dependencies can have dependencies to other libraries resulting in a dependency network with several levels of indirections. Assessing vulnerability risks induced by dependency networks is a non-trivial task for software developers. The library dependency network in the Swift ecosystem encompasses libraries from CocoaPods, Carthage and Swift Package Manager. We analysed how vulnerabilities propagate in the library dependency network of the Swift ecosystem, how vulnerable dependencies could be fixed via dependency upgrades, and if third party vulnerability analysis could be made more precise given public information on these vulnerabilities. We found that only 5.9% of connected libraries had a direct or transitive dependency to a vulnerable library. Although we found that most libraries with publicly reported vulnerabilities are written in C, the highest impact of publicly reported vulnerabilities originated from libraries written in native iOS languages. We found that around 30% of vulnerable dependencies could have been fixed via upgrading the library dependency. In case of critical vulnerabilities and latest library versions, over 70% of vulnerable dependencies would have been fixed via a dependency upgrade. Lastly, we checked whether the analysis of vulnerable dependency use could be refined using publicly available information on the code location (method or class) of a reported vulnerability. We found that such information is not available most of the time.

翻译：尽管使用第三方库是编写软件时的常见做法，但即使是知名库也可能存在漏洞。检测到的漏洞通常会在库代码中快速修复。将这些修复包含到依赖软件应用程序中的最简单方法是更新所使用的库版本。包管理器为更新库依赖关系提供了自动化解决方案。然而，库依赖关系可能涉及对其他库的依赖，从而形成具有多个间接级别的依赖网络。评估依赖关系网络引发的漏洞风险对软件开发人员来说是一项非平凡的任务。Swift生态系统中的库依赖关系网络涵盖了来自CocoaPods、Carthage和Swift Package Manager的库。我们分析了漏洞如何在Swift生态系统的库依赖关系网络中传播，如何通过依赖关系升级来修复易受攻击的依赖关系，以及是否可以利用这些漏洞的公开信息使第三方漏洞分析更加精确。我们发现，只有5.9%的已连接库直接或间接依赖于易受攻击的库。尽管我们发现大多数公开报告漏洞的库是用C语言编写的，但公开报告漏洞的最高影响源于用原生iOS语言编写的库。我们发现，大约30%的易受攻击的依赖关系可以通过升级库依赖关系来修复。在关键漏洞和最新库版本的情况下，超过70%的易受攻击的依赖关系可以通过依赖关系升级来修复。最后，我们检查了是否可以使用有关报告漏洞的代码位置（方法或类）的公开可用信息来细化易受攻击的依赖关系使用的分析。我们发现，大多数情况下此类信息不可用。