Vulnerabilities from third-party libraries (TPLs) have been unveiled to threaten the Maven ecosystem. Despite patches being released promptly after vulnerabilities are disclosed, the libraries and applications in the community still use the vulnerable versions, which makes the vulnerabilities persistent in the Maven ecosystem (e.g., the notorious Log4Shell still greatly influences the Maven ecosystem nowadays from 2021). Both academic and industrial researchers have proposed user-oriented standards and solutions to address vulnerabilities, while such solutions fail to tackle the ecosystem-wide persistent vulnerabilities because it requires a collective effort from the community to timely adopt patches without introducing breaking issues. To seek an ecosystem-wide solution, we first carried out an empirical study to examine the prevalence of persistent vulnerabilities in the Maven ecosystem. Then, we identified affected libraries for alerts by implementing an algorithm monitoring downstream dependents of vulnerabilities based on an up-to-date dependency graph. Based on them, we further quantitatively revealed that patches blocked by upstream libraries caused the persistence of vulnerabilities. After reviewing the drawbacks of existing countermeasures, to address them, we proposed a solution for range restoration (Ranger) to automatically restore the compatible and secure version ranges of dependencies for downstream dependents. The automatic restoration requires no manual effort from the community, and the code-centric compatibility assurance ensures smooth upgrades to patched versions. Moreover, Ranger along with the ecosystem monitoring can timely alert developers of blocking libraries and suggest flexible version ranges to rapidly unblock patch versions. By evaluation, Ranger could restore 75.64% of ranges which automatically remediated 90.32% of vulnerable downstream projects.

翻译：第三方库（TPL）的漏洞已被揭示威胁着Maven生态系统。尽管漏洞披露后补丁迅速发布，但社区中的库和应用仍使用存在漏洞的版本，这导致漏洞在Maven生态系统中持续存在（例如，臭名昭著的Log4Shell从2021年至今仍对Maven生态系统产生重大影响）。学术界和工业界研究者提出了一些面向用户的标准和解决方案来应对漏洞，然而此类方案未能解决生态系统层面的持久漏洞问题，因为需要社区集体努力及时采用补丁且不引入破坏性问题。为寻求生态系统层面的解决方案，我们首先进行实证研究以考察Maven生态系统中持久漏洞的普遍性。随后，我们基于最新的依赖关系图实现了一种监控漏洞下游依赖的算法，从而识别出需要预警的受影响库。在此基础上，我们进一步定量揭示上游库阻止补丁导致了漏洞的持久性。在评估现有对策的不足后，我们提出了一种范围恢复（Ranger）解决方案，可自动为下游依赖恢复兼容且安全的依赖版本范围。该自动恢复无需社区手动操作，且以代码为中心的兼容性保障确保了补丁版本的无缝升级。此外，Ranger结合生态系统监控能及时向开发者预警阻塞库，并建议灵活的版本范围以快速解除补丁版本的阻塞状态。通过评估，Ranger能恢复75.64%的版本范围，自动修复了90.32%的脆弱下游项目。