Preprints‎ > ‎

Investigating the Vulnerability Fixing Process in OSS Projects: Peculiarities and Challenges by Gerardo Canfora, Andrea Di Sorbo, Sara Forootani, Antonio Pirozzi, Corrado Aaron Visaggio

pubblicato 27 set 2020, 11:16 da Gerardo Canfora
Although vulnerabilities can be considered and treated as bugs, they present numerous peculiarities compared to other types of bugs (canonical bugs in the remainder of the paper). A vulnerability adds functionality to a system, as it allows an adversary to misuse or abuse the system, while a canonical bug is an incomplete or incorrect implementation of a requirement, and thus degrades the functionality of the system. This difference can affect the fixing process of vulnerabilities. By mining the repositories of 6 open source projects, we characterize the differences in the fixing process between vulnerabilities and canonical bugs, highlighting critical issues which could represent challenges for future research. Results of our study demonstrate that: (i) more re-assignments (than the ones observed in canonical bugs) are required for .finding the developers able to handle vulnerability-related bugs, (ii) developers' security-related skills should be pro.led, to improve the efficiency of the security bug assignment tasks,
and, consequently, reduce the re-assignments, and (iii) vulnerabilities require more effort, contributors and time to the .fixing strategy but smaller time to fix than canonical bugs.
Keywords: Security Bugs, Process Improvement, Software Maintenance and Evolution, Bug Management, Empirical Study
Computers & Security (to appear)
Gerardo Canfora,
27 set 2020, 11:16