It is vitally important to fix quality issues in security-critical code as they may be sources of vulnerabilities in the future. These quality issues may increase the attack surface if they are not quickly refactored. In this paper, we use the history of vulnerabilities and security bug reports along with a set of keywords to automatically identify a project’s security-critical files based on its source code, bug reports, pull-request descriptions and commit messages. After identifying these security-related files, we estimate their risks using static analysis to check their coupling with other project components. Then, our approach recommends refactorings to prioritize fixing quality issues in these security-critical files to improve quality attributes and remove identified code smells. To find a trade-off between the quality issues and security-critical files, we adopted a multi-objective search strategy. We evaluated our approach on six open source projects and one industrial system to check the correctness and relevance of the refactorings targeting security critical code. The results of our survey with practitioners supports our hypothesis that quality and security need to be considered together to provide relevant refactoring recommendations.

修复安全性至关重要的代码中的质量问题至关重要，因为它们将来可能会成为漏洞的来源。如果不立即进行重构，这些质量问题可能会增加攻击面。在本文中，我们使用漏洞的历史记录和安全错误报告以及一组关键字来根据项目的源代码，错误报告，请求请求描述和提交消息自动识别项目的安全关键文件。在识别了这些与安全相关的文件之后，我们使用静态分析来评估它们与其他项目组件的耦合，以评估它们的风险。然后，我们的方法建议进行重构，以优先处理这些对安全至关重要的文件中的质量问题，以改善质量属性并消除已识别的代码异味。为了在质量问题和安全性至关重要的文件之间找到平衡，我们采用了多目标搜索策略。我们在六个开源项目和一个工业系统上评估了我们的方法，以检查针对安全关键代码的重构的正确性和相关性。我们与从业人员的调查结果支持了我们的假设，即必须同时考虑质量和安全性以提供相关的重构建议。