Abstract Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them.

中文翻译：

---

软件重用是双向的：其与安全漏洞关系的实证分析

摘要 软件重用是研究人员和从业人员广泛采用的实践。安全性和重用之间的关系可以是双向的：系统可以通过依赖成熟的依赖关系变得更加安全，或者通过可利用的依赖关系暴露更大的攻击面而变得更加不安全。为了跟进之前的研究并进一步阐明这个主题，我们进一步研究了软件重用与安全威胁之间的关联。特别是，我们在多案例研究中对 1244 个开源项目进行了实证调查，以探索和讨论开发团队创建的代码与通过依赖项重用的代码之间的安全漏洞分布。为此，我们考虑了通过静态分析评估的潜在漏洞和公共数据库中报告的公开漏洞。结果表明，规模较大的项目与本机和重用代码中潜在漏洞数量的增加有关。此外，我们发现更多依赖项和漏洞之间存在很强的相关性。根据我们的实证调查，源代码重用似乎既不是解决漏洞的灵丹妙药，也不是需要大量漏洞的可怕狼人。