Analysis of Code Vulnerabilities in Repositories of GitHub and Rosettacode: A comparative Study
Keywords:
Software Vulnerability, Software Security, Programming Portal, Vulnerability SeverityAbstract
Open-source code hosted online at programming portals is present in 99% of commercial software and is common practice among developers for rapid prototyping and cost-effective development. However, research reports the presence of vulnerabilities, which result in catastrophic security compromise, and the individual, organization, and even national secrecy are all victims of this circumstance. One of the frustrating aspects of vulnerabilities is that vulnerabilities manifest themselves in hidden ways that software developers are unaware of. One of the most critical tasks in ensuring software security is vulnerability detection, which jeopardizes core security concepts like integrity, authenticity, and availability. This study aims to explore security-related vulnerabilities in programming languages such as C, C++, and Java and present the disparities between them hosted at popular code repositories. To attain this purpose, 708 programs were examined by severity-based guidelines. A total of 1371 vulnerable codes were identified, of which 327 in C, 51 in C++, and 993 in Java. Statistical analysis also indicated a substantial difference between them, as there is ample evidence that the Kruskal-Wallis H-test p-value (.000) is below the 0.05 significance level. The Mann-Whitney Test mean rank for GitHub (Mean-rank=676.05) and Rosettacode (Mean-rank=608.64) are also different. The novelty of this article is to identify security vulnerabilities and grasp the nature severity of vulnerability in popular code repositories. This study eventually manifests a guideline for choosing a secure programming language as a successful testing technique that targets vulnerabilities more liable to breaching security.
References
“Software Engineering | Introduction to Software Engineering - GeeksforGeeks.” https://www.geeksforgeeks.org/software-engineering-introduction-to-software-engineering/ (accessed Jun. 21, 2022).
roger s Pressman and B. Maxim, “Sofware Enginering : A Practitioner’s Approacch,” p. 978, 2014.
I. R. Imran, “A Study of Awareness and Practices in Pakistan’s Software Industry towards DevOps Readiness,” no. November 2021, 2022.
“Requirements decision-making as a process of Argumentation: A Google Maps Case Study with Goal Model,” vol. 3, pp. 15–33, 2021.
J. P. Miguel, D. Mauricio, and G. Rodríguez, “A Review of Software Quality Models for the Evaluation of Software Products,” Int. J. Softw. Eng. Appl., vol. 5, no. 6, pp. 31–53, Nov. 2014, doi: 10.5121/IJSEA.2014.5603.
“Computer Programming Basics: Introduction to Computer Programming.” https://edu.gcfglobal.org/en/computer-programming-basics/introduction-to-computer-programming/1/ (accessed Jun. 21, 2022).
Y. Zhang et al., “H I G IT C LASS : Keyword-Driven Hierarchical Classification of GitHub Repositories.”
Synopsys, “Open Source Security and Risk Analysis Report,” pp. 1–29, 2021.
J. Luszcz, “Apache Struts 2: how technical and development gaps caused the Equifax Breach,” Netw. Secur., vol. 2018, no. 1, pp. 5–8, Jan. 2018, doi: 10.1016/S1353-4858(18)30005-9.
M. Papamichail, T. Diamantopoulos, and A. Symeonidis, “User-Perceived Source Code Quality Estimation Based on Static Analysis Metrics,” Proc. - 2016 IEEE Int. Conf. Softw. Qual. Reliab. Secur. QRS 2016, pp. 100–107, Oct. 2016, doi: 10.1109/QRS.2016.22.
M. Verdi, A. Sami, J. Akhondali, F. Khomh, G. Uddin, and A. K. Motlagh, “An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples,” IEEE Trans. Softw. Eng., vol. 48, no. 5, pp. 1497–1514, Oct. 2019, doi: 10.1109/tse.2020.3023664.
A. Kaur and R. Nayyar, “A Comparative Study of Static Code Analysis tools for Vulnerability Detection in C/C++ and JAVA Source Code,” Procedia Comput. Sci., vol. 171, pp. 2023–2029, Jan. 2020, doi: 10.1016/J.PROCS.2020.04.217.
“A Smart Contract Approach in Pakistan Using Blockchain for Land Management,” vol. 4, no. 2, pp. 425–435, 2022.
S. P. Reiss, “Continuous Flow Analysis to Detect Security Problems,” arXiv, no. July, 2019.
L. Stosic and D. Velickovic, “Computer security and security technologies,” J. Process Manag. New Technol., vol. 1, no. 1, pp. 14–19, 2013, doi: 10.5937/jpmnt1301014s.
F. Bukhari et al., “Quack Finder: A Probabilistic Approach,” vol. 4, no. 2, 2022.
J. A. Harer et al., “Automated software vulnerability detection with machine learning,” no. October, 2018, [Online]. Available: http://arxiv.org/abs/1803.04497.
Y. Zhou, S. Liu, J. Siow, X. Du, and Y. Liu, “Devign: Effective Vulnerability Identification by Learning Comprehensive Program Semantics via Graph Neural Networks,” Adv. Neural Inf. Process. Syst., vol. 32, Sep. 2019, doi: 10.48550/arxiv.1909.03496.
A. Brazhuk, “Semantic model of attacks and vulnerabilities based on CAPEC and CWE dictionaries,” Int. J. Open Inf. Technol., vol. 7, no. 3, pp. 38–41, 2019.
“Common Vulnerability Scoring System SIG.” https://www.first.org/cvss/ (accessed Jun. 22, 2022).
“TIOBE Index - TIOBE.” https://www.tiobe.com/tiobe-index/ (accessed Jun. 22, 2022).
“CWE - CWE-659: Weaknesses in Software Written in C++ (4.7).” https://cwe.mitre.org/data/definitions/659.html (accessed Jun. 22, 2022).
“CWE - CWE-658: Weaknesses in Software Written in C (4.7).” https://cwe.mitre.org/data/definitions/658.html (accessed Jun. 22, 2022).
“CWE - CWE-660: Weaknesses in Software Written in Java (4.7).” https://cwe.mitre.org/data/definitions/660.html (accessed Jun. 22, 2022).
M. A. Arshed, S. Mumtaz, O. Riaz, W. Sharif, and S. Abdullah, “A Deep Learning Framework for Multi-Drug Side Effects Prediction with Drug Chemical Substructure,” Int. J. Innov. Sci. Technol., vol. 4, no. 1, pp. 19–31, 2022.
Y. Zhao, R. Liang, X. Chen, and J. Zou, “Evaluation indicators for open-source software: a review,” Cybersecurity, vol. 4, no. 1, pp. 1–24, Dec. 2021, doi: 10.1186/S42400-021-00084-8/FIGURES/3.
“CVE - CVE.” https://cve.mitre.org/ (accessed Jun. 22, 2022).
H. Zhang, S. Wang, H. Li, T. H. P. Chen, and A. E. Hassan, “A Study of C/C++ Code Weaknesses on Stack Overflow,” IEEE Trans. Softw. Eng., 2021, doi: 10.1109/TSE.2021.3058985.
A. Al‐boghdady, K. Wassif, and M. El‐ramly, “The Presence, Trends, and Causes of Security Vulnerabilities in Operating Systems of IoT’s Low-End Devices,” Sensors 2021, Vol. 21, Page 2329, vol. 21, no. 7, p. 2329, Mar. 2021, doi: 10.3390/S21072329.
S. M. Alnaeli, M. Sarnowski, M. S. Aman, A. Abdelgawad, and K. Yelamarthi, “Vulnerable C/C++ code usage in IoT software systems,” 2016 IEEE 3rd World Forum Internet Things, WF-IoT 2016, no. February 2019, pp. 348–352, 2017, doi: 10.1109/WF-IoT.2016.7845497.
C. Kolias, A. Stavrou, J. Voas, … I. B.-I. S. &, and undefined 2016, “Learning internet-of-things security" hands-on",” Ieeexplore.Ieee.Org, [Online]. Available: https://ieeexplore.ieee.org/abstract/document/7397713/.
A. M. Gamundani, “An impact review on internet of things attacks,” Proc. 2015 Int. Conf. Emerg. Trends Networks Comput. Commun. ETNCC 2015, pp. 114–118, Aug. 2015, doi: 10.1109/ETNCC.2015.7184819.
R. K. McLean, “Comparing static security analysis tools using open source software,” Proc. 2012 IEEE 6th Int. Conf. Softw. Secur. Reliab. Companion, SERE-C 2012, pp. 68–74, 2012, doi: 10.1109/SERE-C.2012.16.
M. Zahedi, M. A. Babar, and C. Treude, “An empirical study of security issues posted in open source projects,” Proc. Annu. Hawaii Int. Conf. Syst. Sci., vol. 2018-Janua, pp. 5504–5513, 2018, doi: 10.24251/hicss.2018.686.
C. Scripting, “A nalysis Tools A gainst Cross-site Scripting V ulnerabilities keywords :,” pp. 125–142, 2021.
“Yasca by scovetta.” http://scovetta.github.io/yasca/ (accessed Jun. 22, 2022).
Published
How to Cite
Issue
Section
License
Copyright (c) 2022 50sea
This work is licensed under a Creative Commons Attribution 4.0 International License.