当前位置: X-MOL 学术arXiv.cs.SE › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Exploring the Security Awareness of the Python and JavaScript Open Source Communities
arXiv - CS - Software Engineering Pub Date : 2020-06-24 , DOI: arxiv-2006.13652
G\'abor Antal, M\'arton Keleti, P\'eter Heged\H{u}s

Software security is undoubtedly a major concern in today's software engineering. Although the level of awareness of security issues is often high, practical experiences show that neither preventive actions nor reactions to possible issues are always addressed properly in reality. By analyzing large quantities of commits in the open-source communities, we can categorize the vulnerabilities mitigated by the developers and study their distribution, resolution time, etc. to learn and improve security management processes and practices. With the help of the Software Heritage Graph Dataset, we investigated the commits of two of the most popular script languages -- Python and JavaScript -- projects collected from public repositories and identified those that mitigate a certain vulnerability in the code (i.e. vulnerability resolution commits). On the one hand, we identified the types of vulnerabilities (in terms of CWE groups) referred to in commit messages and compared their numbers within the two communities. On the other hand, we examined the average time elapsing between the publish date of a vulnerability and the first reference to it in a commit. We found that there is a large intersection in the vulnerability types mitigated by the two communities, but most prevalent vulnerabilities are specific to language. Moreover, neither the JavaScript nor the Python community reacts very fast to appearing security vulnerabilities in general with only a couple of exceptions for certain CWE groups.

中文翻译:

探索 Python 和 JavaScript 开源社区的安全意识

软件安全无疑是当今软件工程的主要关注点。尽管对安全问题的认识水平往往很高,但实践经验表明,在现实中,无论是预防措施还是对可能出现的问题的反应,都没有得到妥善解决。通过分析开源社区的大量提交,我们可以对开发者缓解的漏洞进行分类,研究其分布、解决时间等,以学习和改进安全管理流程和实践。在软件遗产图数据集的帮助下,我们调查了两种最流行的脚本语言——Python 和 JavaScript——从公共存储库收集的项目的提交,并确定了那些减轻代码中某个漏洞的项目(即漏洞解决提交)。一方面,我们确定了提交消息中提到的漏洞类型(就 CWE 组而言),并在两个社区中比较了它们的数量。另一方面,我们检查了从漏洞发布日期到提交中第一次引用它之间的平均时间。我们发现两个社区缓解的漏洞类型存在很大的交叉,但最普遍的漏洞是特定于语言的。此外,JavaScript 和 Python 社区通常对出现的安全漏洞的反应都不是很快,只有某些 CWE 组的几个例外。我们检查了漏洞发布日期和提交中第一次引用它之间的平均时间。我们发现两个社区缓解的漏洞类型存在很大的交叉,但最普遍的漏洞是特定于语言的。此外,JavaScript 和 Python 社区通常对出现的安全漏洞的反应都不是很快,只有某些 CWE 组的几个例外。我们检查了漏洞发布日期和提交中第一次引用它之间的平均时间。我们发现两个社区缓解的漏洞类型存在很大的交叉,但最普遍的漏洞是特定于语言的。此外,JavaScript 和 Python 社区通常对出现的安全漏洞的反应都不是很快,只有某些 CWE 组的几个例外。
更新日期:2020-06-25
down
wechat
bug