On the Use of Refactoring in Security Vulnerability Fixes: An Exploratory Study on Maven Libraries

05/17/2022
by   Ayano Ikegami, et al.
0

Third-party library dependencies are commonplace in today's software development. With the growing threat of security vulnerabilities, applying security fixes in a timely manner is important to protect software systems. As such, the community developed a list of software and hardware weakness known as Common Weakness Enumeration (CWE) to assess vulnerabilities. Prior work has revealed that maintenance activities such as refactoring code potentially correlate with security-related aspects in the source code. In this work, we explore the relationship between refactoring and security by analyzing refactoring actions performed jointly with vulnerability fixes in practice. We conducted a case study to analyze 143 maven libraries in which 351 known vulnerabilities had been detected and fixed. Surprisingly, our exploratory results show that developers incorporate refactoring operations in their fixes, with 31.9 actions. We envision this short paper to open up potential new directions to motivate automated tool support, allowing developers to deliver fixes faster, while maintaining their code.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
08/13/2021

VulnEx: Exploring Open-Source Software Vulnerabilities in Large Development Organizations to Understand Risk Exposure

The prevalent usage of open-source software (OSS) has led to an increase...
research
06/09/2023

Analyzing Maintenance Activities of Software Libraries

Industrial applications heavily integrate open-source software libraries...
research
03/12/2022

Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries

The application of machine learning (ML) libraries has been tremendously...
research
01/17/2018

M-STAR: A Modular, Evidence-based Software Trustworthiness Framework

Despite years of intensive research in the field of software vulnerabili...
research
01/17/2023

SECOMlint: A linter for Security Commit Messages

Transparent and efficient vulnerability and patch disclosure are still a...
research
07/04/2019

CARVE: Practical Security-Focused Software Debloating Using Simple Feature Set Mappings

Software debloating is an emerging field of study aimed at improving the...
research
12/02/2017

Exploring the outsourcing relationship in software startups: A multiple case study

Software startups are becoming increasingly popular in software industry...

Please sign up or login with your details

Forgot password? Click here to reset