Fix that Fix Commit: A real-world remediation analysis of Java']JavaScript projects

被引：15

作者：

Bandara, Vinuri ^{[2
,3
]}

Rathnayake, Thisura ^{[2
,3
]}

Weerasekara, Nipuna ^{[2
,3
]}

Elvitigala, Charitha ^{[1
,2
]}

Thilakarathna, Kenneth ^{[3
]}

Wijesekera, Primal ^{[4
]}

Keppitiyagama, Chamath ^{[3
]}

机构：

[1] Bug Zero, Springfield, MO USA

[2] SCoRe Lab, Colombo, Sri Lanka

[3] Univ Colombo, Sch Comp, Colombo, Sri Lanka

[4] Univ Calif Berkeley, Berkeley, CA 94720 USA

来源：

2020 20TH IEEE INTERNATIONAL WORKING CONFERENCE ON SOURCE CODE ANALYSIS AND MANIPULATION (SCAM 2020) | 2020年

关键词：

Software Security; Vulnerability Analysis; Vulnerability Remediation; Security Testing;

D O I：

10.1109/SCAM51674.2020.00027

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

While there is a large body of work on understanding vulnerabilities in the wild, little has been done to understand the dynamics of the remediation phase of the development cycle. To this end, we have done a timeline analysis on 118K commits from 53 of the most used JavaScript projects from GitHub to understand the provenance and prevalence of vulnerabilities in those projects. We used a vulnerability detector (CodeQL) to filter commits that introduced vulnerabilities and the commits that fixed a prior vulnerability. We found that in 82% of the projects, a commit fixing a prior vulnerability, in turn, introduced one or more new vulnerabilities. Among those projects, on average, 18% of the commits intended to fix vulnerabilities, in turn, introduced one or more new vulnerabilities. We also found that 50% of the total vulnerabilities found in those projects originated from a commit meant to fix a prior vulnerability, and 78% of those vulnerabilities could have been avoided if they were to use proper internal testing. We provide critical insights into how proper internal testing can avoid a significant portion of vulnerabilities, increasing organizations' security posture.

引用

页码：198 / 202

页数：5

共 18 条

[1] When Do Changes Induce Software Vulnerabilities? [J].

Alohaly, Manar ;

Takabi, Hassan .

2017 IEEE 3RD INTERNATIONAL CONFERENCE ON COLLABORATION AND INTERNET COMPUTING (CIC), 2017, :59-66

[2]

Alomar N, 2020, PROCEEDINGS OF THE SIXTEENTH SYMPOSIUM ON USABLE PRIVACY AND SECURITY (SOUPS 2020), P319

[3]

Frei S., 2006, P 2006 SIGCOMM WORKS, P131

[4] Discovering Bug Patterns in Java']JavaScript [J].

Hanam, Quinn ;

Brito, Fernando S. de M. ;

Mesbah, Ali .

FSE'16: PROCEEDINGS OF THE 2016 24TH ACM SIGSOFT INTERNATIONAL SYMPOSIUM ON FOUNDATIONS OF SOFTWARE ENGINEERING, 2016, :144-156

[5] The Challenges of Labeling Vulnerability-Contributing Commits [J].

Hogan, Kevin ;

Warford, Noel ;

Morrison, Robert ;

Miller, David ;

Malone, Sean ;

Purtilo, James .

2019 IEEE 30TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING WORKSHOPS (ISSREW 2019), 2019, :270-275

[6] How Do Developers Act on Static Analysis Alerts? An Empirical Study of Coverity Usage [J].

Imtiaz, Nasif ;

Murphy, Brendan ;

Williams, Laurie .

2019 IEEE 30TH INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING (ISSRE), 2019, :323-333

[7]

Kim S, 2006, IEEE INT CONF AUTOM, P81

[8] A Large-Scale Empirical Study of Security Patches [J].

Li, Frank ;

Paxson, Vern .

CCS'17: PROCEEDINGS OF THE 2017 ACM SIGSAC CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, 2017, :2201-2215

[9]

Meneely Andrew, 2013, 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), P65, DOI 10.1109/ESEM.2013.19

[10] CAPABILITY MATURITY MODEL, VERSION 1.1 [J].

PAULK, MC ;

CURTIS, B ;

CHRISSIS, MB ;

WEBER, CV .

IEEE SOFTWARE, 1993, 10 (04) :18-27

← 1 2 →