[Context]: Containerization ensures the resilience of distributed applications by Kubernetes. Helm is a package manager for Kubernetes applications. A Helm package, namely "Chart'', is a set of pre-configured resources that one could quickly deploy a complex application. However, Helm broadens the attack surface of the distributed applications. [Objective]: This study aims to investigate the prevalence of fixable vulnerabilities, the factors related to the vulnerabilities, and current mitigation strategies in Helm Charts. [Method]: We conduct a mixed-methods study on 11,035 Helm Charts affected by 10,982 fixable vulnerabilities. We analyze the complexity of Charts and compare the distribution of vulnerabilities between official and unofficial Charts. Subsequently, we investigate vulnerability mitigation strategies from the Chart-associated repositories by a grounded theory. [Results]: Our findings highlight that the complexity of a Chart correlates with the number of vulnerabilities, and the official Charts do not contain fewer vulnerabilities compared to unofficial Charts. The 10,982 fixable vulnerabilities are at a median of high severity and can be easily exploited. In addition, we identify 11 vulnerability mitigation strategies in three categories. Due to the complexity of Charts, maintainers are required to investigate where a vulnerability impacts and how to mitigate it. The use of automated strategies is low as automation has limited capability(e.g., a higher number of false positives) in such complex Charts. [Conclusion]: There exists need for automation tools that assist maintainers in mitigating vulnerabilities to reduce manual effort. In addition, Chart maintainers lack incentives to mitigate vulnerabilities, given a lack of guidelines for mitigation responsibilities. Adopting a shared responsibility model in the Helm ecosystem would increase its security.

翻译：【背景】容器化技术通过 Kubernetes 确保了分布式应用的韧性。Helm 是 Kubernetes 应用的包管理器，其软件包（即“Chart”）是一组预配置的资源，可快速部署复杂应用。然而，Helm 扩大了分布式应用的攻击面。【目标】本研究旨在探究 Helm Charts 中可修复漏洞的普遍性、相关因素及当前缓解策略。【方法】我们对受 10,982 个可修复漏洞影响的 11,035 个 Helm Charts 开展混合方法研究。通过分析 Chart 的复杂度，并比较官方与非官方 Chart 的漏洞分布，随后基于扎根理论对与 Chart 关联的代码仓库中的漏洞缓解策略进行探究。【结果】研究发现，Chart 的复杂度与漏洞数量呈正相关，且官方 Chart 的漏洞数量并不少于非官方 Chart。这 10,982 个可修复漏洞的中位严重程度较高，易于被利用。此外，我们识别出三类共 11 种漏洞缓解策略。由于 Chart 的复杂性，维护者需调查漏洞影响范围及缓解方法。自动化策略的使用率较低，因自动化工具在复杂 Chart 中能力有限（例如误报率较高）。【结论】亟需开发辅助维护者缓解漏洞的自动化工具以减少人工劳动。同时，由于缺乏缓解责任的指导准则，Chart 维护者缺乏修复漏洞的动机。在 Helm 生态中采用责任共担模型将提升其安全性。