Third-party library dependencies are commonplace in today's software development. With the growing threat of security vulnerabilities, applying security fixes in a timely manner is important to protect software systems. As such, the community developed a list of software and hardware weakness known as Common Weakness Enumeration (CWE) to assess vulnerabilities. Prior work has revealed that maintenance activities such as refactoring code potentially correlate with security-related aspects in the source code. In this work, we explore the relationship between refactoring and security by analyzing refactoring actions performed jointly with vulnerability fixes in practice. We conducted a case study to analyze 143 maven libraries in which 351 known vulnerabilities had been detected and fixed. Surprisingly, our exploratory results show that developers incorporate refactoring operations in their fixes, with 31.9% (112 out of 351) of the vulnerabilities paired with refactoring actions. We envision this short paper to open up potential new directions to motivate automated tool support, allowing developers to deliver fixes faster, while maintaining their code.
翻译:第三方图书馆依赖性在今天的软件开发中司空见惯。 随着安全脆弱性威胁日益严重,及时应用安全设置对于保护软件系统非常重要。 因此, 社区开发了一个软件和硬件弱点清单, 称为常见弱点编号( CWE) 来评估弱点。 先前的工作显示, 重新设定代码等维护活动可能与源代码中与安全相关方面相关联。 在这项工作中, 我们通过分析与脆弱性校正共同执行的重新设定定义行动, 探索重构与安全之间的关系。 我们开展了一项案例研究, 分析143个马文图书馆, 其中发现和固定了351个已知弱点。 令人惊讶的是, 我们的探索结果表明, 开发商将重新设定操作纳入了其校正功能, 其中31.9%( 351个中的112个) 的弱点代码与再设定操作相匹配。 我们设想这一短的文件可以打开潜在的新方向, 以激励自动化工具支持, 让开发商更快地交付定型,同时保持其代码。