research-article

On the Use of Refactoring in Security Vulnerability Fixes: An Exploratory Study on Maven Libraries

Authors:

Raula Gaikovina Kula,

Bodin Chinthanet,

Vittunyuta Maeprasart,

Kenichi MatsumotoAuthors Info & Claims

EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering

Pages 288 - 293

https://doi.org/10.1145/3530019.3535304

Published: 13 June 2022 Publication History

Abstract

Third-party library dependencies are commonplace in today’s software development. With the growing threat of security vulnerabilities, applying security fixes in a timely manner is important to protect software systems. As such, the community developed a list of software and hardware weakness known as Common Weakness Enumeration (CWE) to assess vulnerabilities. Prior work has revealed that maintenance activities such as refactoring code potentially correlate with security-related aspects in the source code. In this work, we explore the relationship between refactoring and security by analyzing refactoring actions performed jointly with vulnerability fixes in practice. We conducted a case study to analyze 143 maven libraries in which 351 known vulnerabilities had been detected and fixed. Surprisingly, our exploratory results show that developers incorporate refactoring operations in their fixes, with 31.9% (112 out of 351) of the vulnerabilities paired with refactoring actions. We envision this short paper to open up potential new directions to motivate automated tool support, allowing developers to deliver fixes faster, while maintaining their code.

References

[1]

2020. The State of the Octoverse | The State of the Octoverse explores a year of change with new deep dives into developer productivity, security, and how we build communities on GitHub.https://octoverse.github.com/#securing-software. (Accessed on 13/10/2021).

[2]

2021. CVE security vulnerability database. Security vulnerabilities, exploits, references and more. https://www.cvedetails.com/. (Accessed on 02/24/2021).

[3]

2021. CWE - CWE-352: Cross-Site Request Forgery (CSRF) (4.5). https://cwe.mitre.org/data/definitions/352.html. (Accessed on 15/10/2021).

[4]

2021. CWE - CWE-611: Improper Restriction of XML External Entity Reference (4.5). https://cwe.mitre.org/data/definitions/611.html. (Accessed on 15/10/2021).

[5]

2021. CWE - CWE-94: Improper Control of Generation of Code (’Code Injection’) (4.5). https://cwe.mitre.org/data/definitions/94.html. (Accessed on 15/10/2021).

[6]

2021. [FIX SECURITY-276] Don’t allow open redirect using scheme-rel. URL · jenkinsci/jenkins@2ed0c04. https://github.com/jenkinsci/jenkins/commit/2ed0c046dfbb2003a17df27c53777e72c6eaff25. (Accessed on 13/10/2021).

[7]

2021. GitHub Advisory Database. https://github.com/advisories/. (Accessed on 24/02/2021).

[8]

2021. jenkinsci/jenkins: Jenkins automation server. https://github.com/jenkinsci/jenkins. (Accessed on 13/10/2021).

[9]

2021. Maven Central Repository Search. https://search.maven.org/. (Accessed on 10/16/2021).

[10]

2021. NVD - CVE-2016-3726. https://nvd.nist.gov/vuln/detail/CVE-2016-3726. (Accessed on 13/10/2021).

[11]

2021. NVD - National Vulnerability Database. https://nvd.nist.gov/. (Accessed on 10/10/2021).

[12]

Eman Abdullah AlOmar, Anthony Peruma, Christian D Newman, Mohamed Wiem Mkaouer, and Ali Ouni. 2020. On the Relationship Between Devel-oper Experience and Refactoring: An Exploratory Study and Preliminary Results. In Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, Vol. 20. ACM, 342–349.

Digital Library

[13]

Chaima Abid, Marouane Kessentini, Vahid Alizadeh, Mouna Dhouadi, and Rick Kazman. 2020. How Does Refactoring Impact Security When Improving Quality? A Security-Aware Refactoring Approach. IEEE Transactions on Software Engineering(2020), 1–1. https://doi.org/10.1109/TSE.2020.3005995

[14]

Mahmoud Alfadel, Diego Costa, and Emad Shihab. 2021. Empirical Analysis of Security Vulnerabilities in Python Packages. In International Conference on Software Analysis, Evolution and Reengineering (SANER).

[15]

Gabriele Bavota, Bernardino De Carluccio, Andrea De Lucia, Massimiliano Di Penta, Rocco Oliveto, and Orazio Strollo. 2012. When does a refactoring induce bugs? An empirical study. In Proceedings - 2012 IEEE 12th International Working Conference on Source Code Analysis and Manipulation, SCAM 2012. 104–113.

Digital Library

[16]

Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, Takashi Ishio, Akinori Ihara, and Kenichi Matsumoto. 2021. Lags in the Release, Adoption, and Propagation of npm Vulnerability Fixes. Empirical Software Engineering (ESME)(2021).

[17]

Flávia Coelho, Nikolaos Tsantalis, Tiago Massoni, and Everton Alves. 2021. An Empirical Study on Refactoring-Inducing Pull Requests. 1–12. https://doi.org/10.1145/3475716.3475785

Digital Library

[18]

Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the Evolution of Technical Lag in the npm Package Dependency Network. In Proceedings of the 34th International Conference on Software Maintenance and Evolution (ICSME). 404–414.

[19]

Massimiliano Di Penta, Gabriele Bavota, and Fiorella Zampetti. 2020. On the Relationship between Refactoring Actions and Bugs: A Differentiated Replication. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering(ESEC/FSE 2020). Association for Computing Machinery, 556–567.

Digital Library

[20]

Massimiliano Di Penta, Gabriele Bavota, and Fiorella Zampetti. 2020. On the Relationship between Refactoring Actions and Bugs: A Differentiated Replication. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering(ESEC/FSE 2020). Association for Computing Machinery, 556–567. https://doi.org/10.1145/3368089.3409695

Digital Library

[21]

Xiaoning Du, Bihuan Chen, Yuekang Li, Jianmin Guo, Yaqin Zhou, Yang Liu, and Yu Jiang. 2019. LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment Through Program Metrics. In International Conference on Software Engineering (ICSE).

[22]

A. W. Edwards. 1963. The Measure of Association in a 2 × 2 Table. Journal of the Royal Statistical Society1 (1963).

[23]

Jiahao Fan, Yi Li, Shaohua Wang, and Tien N. Nguyen. 2020. A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries. In International Conference on Mining Software Repositories Conference (MSR).

Digital Library

[24]

Martin Fowler. 1999. Refactoring: Improving the Design of Existing Code. Addison-Wesley.

Digital Library

[25]

GitHub. 2020. Keep all your packages up to date with Dependabot - The GitHub Blog. https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/. (Accessed on 10/09/2020).

[26]

Oumayma Hamdi, Ali Ouni, Mel Ó Cinnéide, and Mohamed Wiem Mkaouer. 2021. A longitudinal study of the impact of refactoring in android applications. Information and Software Technology 140 (2021), 106699.

Digital Library

[27]

Martina Iammarino, Fiorella Zampetti, Lerina Aversano, and Massimiliano Di Penta. 2019. Self-Admitted Technical Debt Removal and Refactoring Actions: Co-Occurrence or More?. In 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). 186–190. https://doi.org/10.1109/ICSME.2019.00029

[28]

Riivo Kikas, Georgios Gousios, Marlon Dumas, and Dietmar Pfahl. 2017. Structure and Evolution of Package Dependency Networks. In Proceedings of the 14th International Conference on Mining Software Repositories (MSR). 102–112.

Digital Library

[29]

Raula Gaikovina Kula, Ali Ouni, Daniel M. German, and Katsuro Inoue. 2018. An empirical study on the impact of refactoring activities on evolving client-used APIs. Information and Software Technology 93 (2018), 186–199. https://doi.org/10.1016/j.infsof.2017.09.007

Digital Library

[30]

Frank Li and Vern Paxson. 2017. A Large-Scale Empirical Study of Security Patches. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[31]

Wanwangying Ma, Lin Chen, Yuming Zhou, and Baowen Xu. 2016. Do We Have a Chance to Fix Bugs When Refactoring Code Smells?. In 2016 International Conference on Software Analysis, Testing and Evolution (SATE). 24–29. https://doi.org/10.1109/SATE.2016.11

[32]

Katsuhisa Maruyama. 2007. SECURE REFACTORING - Improving the Security Level of Existing Code. In International Conference on Software and Data Technologies (ICSOFT). 222–229.

[33]

Mitre Corporation. 2018. CVE - Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/. (Accessed on 20/04/2020).

[34]

Mitre Corporation. 2018. CWE - Common Weakness Enumeration. https://cwe.mitre.org/. (Accessed on 20/04/2020).

[35]

Haris Mumtaz, Mohammad Alshayeb, Sajjad Mahmood, and Mahmood Niazi. 2018. An empirical study to improve software security through the application of code refactoring. Information and Software Technology (IST) 96 (2018), 112–125.

Digital Library

[36]

Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar. 2015. VCCFinder. In ACM SIGSAC Conference on Computer and Communications Security (CCS).

[37]

Snyk. 2015. Vulnerability DB. https://snyk.io/vuln. (Accessed on 04/20/2020).

[38]

Nikolaos Tsantalis, Ameya Ketkar, and Danny Dig. 2020. RefactoringMiner 2.0. IEEE Transactions on Software Engineering(2020), 21 pages. https://doi.org/10.1109/TSE.2020.3007722

[39]

Nikolaos Tsantalis, Matin Mansouri, Laleh M. Eshkevari, Davood Mazinanian, and Danny Dig. 2018. Accurate and Efficient Refactoring Detection in Commit History. In International Conference on Software Engineering (ICSE). 483–494.

[40]

Ahmed Zerouali, Eleni Constantinou, Tom Mens, Gregorio Robles, and Jesus Gonzalez-Barahona. 2018. An Empirical Analysis of Technical Lag in npm Package Dependencies. In Proceedings of the 17th International Conference on Software Reuse (ICSR). 95–110.

Cited By

Edward ENyamawe AElisa N(2024)On the Impact of Refactorings on Software Attack SurfaceIEEE Access10.1109/ACCESS.2024.340405812(128570-128584)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3404058
Edward ENyamawe AElisa N(2024)A Survey on Secure RefactoringSN Computer Science10.1007/s42979-024-03325-y5:7Online publication date: 12-Oct-2024
https://doi.org/10.1007/s42979-024-03325-y
Düsing JHermann BBissyandé TKlein JBird CSarro F(2023)Persisting and Reusing Results of Static Program Analyses on a Large ScaleProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00080(888-900)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00080

Recommendations

Silent Taint-Style Vulnerability Fixes Identification
ISSTA 2024: Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

The coordinated vulnerability disclosure model, widely adopted in open-source software (OSS) organizations, recommends the silent resolution of vulnerabilities without revealing vulnerability information until their public disclosure. However, the ...
Analysis and countermeasures of security vulnerability on portal sites
ICUIMC '11: Proceedings of the 5th International Conference on Ubiquitous Information Management and Communication

Recently, major portal sites are suffering from a number of attacks and it is growing exponentially. July 2009, there has been system failure on government sites and some of the major portal sites due to the DDoS (Distributed Denial of Service) attack. ...
On the Security and Vulnerability of PING
WSS '01: Proceedings of the 5th International Workshop on Self-Stabilizing Systems

We present a formal specification of the PING protocol, and use three concepts of convergence theory, namely closure, convergence, and protection, to show that this protocol is secure against weak adversaries (and insecure against strong ones). We then ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

EASE '22: Proceedings of the 26th International Conference on Evaluation and Assessment in Software Engineering

June 2022

466 pages

ISBN:9781450396134

DOI:10.1145/3530019

Editors:
Miroslaw Staron
Chalmers | University of Gothenburg, Sweden
,
Christian Berger
Chalmers | University of Gothenburg, Sweden
,
Jocelyn Simmonds
University of Chile, Chile
,
Rafael Prikladnicki
School of Technology at PUCRS University, Brazil

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 June 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Japan Society for the Promotion of Science

Conference

EASE 2022

EASE 2022: The International Conference on Evaluation and Assessment in Software Engineering 2022

June 13 - 15, 2022

Gothenburg, Sweden

Acceptance Rates

Overall Acceptance Rate 71 of 232 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
135
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)6

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Edward ENyamawe AElisa N(2024)On the Impact of Refactorings on Software Attack SurfaceIEEE Access10.1109/ACCESS.2024.340405812(128570-128584)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3404058
Edward ENyamawe AElisa N(2024)A Survey on Secure RefactoringSN Computer Science10.1007/s42979-024-03325-y5:7Online publication date: 12-Oct-2024
https://doi.org/10.1007/s42979-024-03325-y
Düsing JHermann BBissyandé TKlein JBird CSarro F(2023)Persisting and Reusing Results of Static Program Analyses on a Large ScaleProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00080(888-900)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00080
Almogahed AOmar MZakaria NAlawadhi A(2022)Software Security Measurements: A Survey2022 International Conference on Intelligent Technology, System and Service for Internet of Everything (ITSS-IoE)10.1109/ITSS-IoE56359.2022.9990968(1-6)Online publication date: 3-Dec-2022
https://doi.org/10.1109/ITSS-IoE56359.2022.9990968

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten