Academic Journal
The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study
| العنوان: | The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study |
|---|---|
| المؤلفون: | Iannone E., Guadagni R., Ferrucci F., De Lucia A., Palomba F. |
| المساهمون: | Iannone, E., Guadagni, R., Ferrucci, F., De Lucia, A., Palomba, F. |
| سنة النشر: | 2023 |
| مصطلحات موضوعية: | Code, Data mining, Detector, Empirical Software Engineering, Mining Software Repositorie, Software, Software development management, Software engineering, Software system, Software Vulnerabilities |
| الوصف: | Software vulnerabilities are weaknesses in source code that can be potentially exploited to cause loss or harm. While researchers have been devising a number of methods to deal with vulnerabilities, there is still a noticeable lack of knowledge on their software engineering life cycle, for example how vulnerabilities are introduced and removed by developers. This information can be exploited to design more effective methods for vulnerability prevention and detection, as well as to understand the granularity at which these methods should aim. To investigate the life cycle of known software vulnerabilities, we focus on how, when, and under which circumstances the contributions to the introduction of vulnerabilities in software projects are made, as well as how long, and how they are removed. We consider 3,663 vulnerabilities with public patches from the National Vulnerability Databasepertaining to 1,096 open-source software projects on GitHuband define an eight-step process involving both automated parts (e.g., using a procedure based on the SZZ algorithm to find the vulnerability-contributing commits) and manual analyses (e.g., how vulnerabilities were fixed). The investigated vulnerabilities can be classified in 144 categories, take on average at least 4 contributing commits before being introduced, and half of them remain unfixed for at least more than one year. Most of the contributions are done by developers with high workload, often when doing maintenance activities, and removed mostly with the addition of new source code aiming at implementing further checks on inputs. We conclude by distilling practical implications on how vulnerability detectors should work to assist developers in timely identifying these issues. |
| نوع الوثيقة: | article in journal/newspaper |
| اللغة: | English |
| Relation: | info:eu-repo/semantics/altIdentifier/wos/WOS:001020827200003; volume:49(1); firstpage:44; lastpage:63; numberofpages:20; journal:IEEE TRANSACTIONS ON SOFTWARE ENGINEERING; https://hdl.handle.net/11386/4778905; https://ieeexplore.ieee.org/document/9672730 |
| DOI: | 10.1109/TSE.2022.3140868 |
| الاتاحة: | https://hdl.handle.net/11386/4778905 https://doi.org/10.1109/TSE.2022.3140868 https://ieeexplore.ieee.org/document/9672730 |
| رقم الانضمام: | edsbas.F013685B |
| قاعدة البيانات: | BASE |
| DOI: | 10.1109/TSE.2022.3140868 |
|---|