An Empirical Investigation of the Security Weaknesses in Open-Source Projects

Haifa Al-Shammare; Nehal Al-Otaiby; Muradi Al-Otabi; Mohammad Alshayeb

doi:10.1145/3661167.3661279

An Empirical Investigation of the Security Weaknesses in Open-Source Projects

Haifa Al-Shammare, Nehal Al-Otaiby, Muradi Al-Otabi, Mohammad Alshayeb

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

With the increase of code reuse, the possibility of security vulnerabilities increases. Thus, tools for static analysis are widely used to evaluate open-source projects against security vulnerabilities. This research aims to empirically study common weakness types (CWEs), their frequencies, and the correlations between them and open-source project characteristics. The PVS-Studio tool analyzed 150 projects hosted on GitHub and written in C#, C++, and Java. The tool was used to investigate the common weaknesses found in these projects. Furthermore, our study has practical implications for developers and researchers interested in open-source project security. We have identified the factors that contribute to the presence of these weaknesses, and our statistical analyses have shed light on these factors. Notably, C++ projects tend to have more weaknesses. The most common types of weaknesses detected in these programming languages are CWE-571, 570, 690, 682, 476, 628, 563, 691, 704, and 393. The age of the project and the number of commits are found to be positively correlated with the number of detected weaknesses, while stars and forks have little impact. These findings highlight the need for caution when using open-source code, as it can have several vulnerabilities that can compromise the software's security. Therefore, it is crucial to scan the third-party code before incorporating it into projects.

Original language	English
Title of host publication	Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024
Publisher	Association for Computing Machinery
Pages	634-642
Number of pages	9
ISBN (Electronic)	9798400717017
DOIs	https://doi.org/10.1145/3661167.3661279
State	Published - 18 Jun 2024
Event	28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024 - Salerno, Italy Duration: 18 Jun 2024 → 21 Jun 2024

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024
Country/Territory	Italy
City	Salerno
Period	18/06/24 → 21/06/24

Bibliographical note

Publisher Copyright:
© 2024 ACM.

Keywords

C#
C++
CWE
Empirical study
GitHub
JAVA
OWASP
Open-source
PVS-Studio
Project Security
SAST tools
Weaknesses

ASJC Scopus subject areas

Human-Computer Interaction
Computer Networks and Communications
Computer Vision and Pattern Recognition
Software

Access to Document

10.1145/3661167.3661279

Cite this

Al-Shammare, H., Al-Otaiby, N., Al-Otabi, M., & Alshayeb, M. (2024). An Empirical Investigation of the Security Weaknesses in Open-Source Projects. In Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024 (pp. 634-642). (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3661167.3661279

@inproceedings{0e4510b3f6dd40f6872c2744a69be6f3,

title = "An Empirical Investigation of the Security Weaknesses in Open-Source Projects",

abstract = "With the increase of code reuse, the possibility of security vulnerabilities increases. Thus, tools for static analysis are widely used to evaluate open-source projects against security vulnerabilities. This research aims to empirically study common weakness types (CWEs), their frequencies, and the correlations between them and open-source project characteristics. The PVS-Studio tool analyzed 150 projects hosted on GitHub and written in C#, C++, and Java. The tool was used to investigate the common weaknesses found in these projects. Furthermore, our study has practical implications for developers and researchers interested in open-source project security. We have identified the factors that contribute to the presence of these weaknesses, and our statistical analyses have shed light on these factors. Notably, C++ projects tend to have more weaknesses. The most common types of weaknesses detected in these programming languages are CWE-571, 570, 690, 682, 476, 628, 563, 691, 704, and 393. The age of the project and the number of commits are found to be positively correlated with the number of detected weaknesses, while stars and forks have little impact. These findings highlight the need for caution when using open-source code, as it can have several vulnerabilities that can compromise the software's security. Therefore, it is crucial to scan the third-party code before incorporating it into projects.",

keywords = "C#, C++, CWE, Empirical study, GitHub, JAVA, OWASP, Open-source, PVS-Studio, Project Security, SAST tools, Weaknesses",

author = "Haifa Al-Shammare and Nehal Al-Otaiby and Muradi Al-Otabi and Mohammad Alshayeb",

note = "Publisher Copyright: {\textcopyright} 2024 ACM.; 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024 ; Conference date: 18-06-2024 Through 21-06-2024",

year = "2024",

month = jun,

day = "18",

doi = "10.1145/3661167.3661279",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "634--642",

booktitle = "Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024",

}

Al-Shammare, H, Al-Otaiby, N, Al-Otabi, M & Alshayeb, M 2024, An Empirical Investigation of the Security Weaknesses in Open-Source Projects. in Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024. ACM International Conference Proceeding Series, Association for Computing Machinery, pp. 634-642, 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024, Salerno, Italy, 18/06/24. https://doi.org/10.1145/3661167.3661279

An Empirical Investigation of the Security Weaknesses in Open-Source Projects. / Al-Shammare, Haifa; Al-Otaiby, Nehal; Al-Otabi, Muradi et al.
Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024. Association for Computing Machinery, 2024. p. 634-642 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An Empirical Investigation of the Security Weaknesses in Open-Source Projects

AU - Al-Shammare, Haifa

AU - Al-Otaiby, Nehal

AU - Al-Otabi, Muradi

AU - Alshayeb, Mohammad

PY - 2024/6/18

Y1 - 2024/6/18

N2 - With the increase of code reuse, the possibility of security vulnerabilities increases. Thus, tools for static analysis are widely used to evaluate open-source projects against security vulnerabilities. This research aims to empirically study common weakness types (CWEs), their frequencies, and the correlations between them and open-source project characteristics. The PVS-Studio tool analyzed 150 projects hosted on GitHub and written in C#, C++, and Java. The tool was used to investigate the common weaknesses found in these projects. Furthermore, our study has practical implications for developers and researchers interested in open-source project security. We have identified the factors that contribute to the presence of these weaknesses, and our statistical analyses have shed light on these factors. Notably, C++ projects tend to have more weaknesses. The most common types of weaknesses detected in these programming languages are CWE-571, 570, 690, 682, 476, 628, 563, 691, 704, and 393. The age of the project and the number of commits are found to be positively correlated with the number of detected weaknesses, while stars and forks have little impact. These findings highlight the need for caution when using open-source code, as it can have several vulnerabilities that can compromise the software's security. Therefore, it is crucial to scan the third-party code before incorporating it into projects.

AB - With the increase of code reuse, the possibility of security vulnerabilities increases. Thus, tools for static analysis are widely used to evaluate open-source projects against security vulnerabilities. This research aims to empirically study common weakness types (CWEs), their frequencies, and the correlations between them and open-source project characteristics. The PVS-Studio tool analyzed 150 projects hosted on GitHub and written in C#, C++, and Java. The tool was used to investigate the common weaknesses found in these projects. Furthermore, our study has practical implications for developers and researchers interested in open-source project security. We have identified the factors that contribute to the presence of these weaknesses, and our statistical analyses have shed light on these factors. Notably, C++ projects tend to have more weaknesses. The most common types of weaknesses detected in these programming languages are CWE-571, 570, 690, 682, 476, 628, 563, 691, 704, and 393. The age of the project and the number of commits are found to be positively correlated with the number of detected weaknesses, while stars and forks have little impact. These findings highlight the need for caution when using open-source code, as it can have several vulnerabilities that can compromise the software's security. Therefore, it is crucial to scan the third-party code before incorporating it into projects.

KW - C#

KW - C++

KW - CWE

KW - Empirical study

KW - GitHub

KW - JAVA

KW - OWASP

KW - Open-source

KW - PVS-Studio

KW - Project Security

KW - SAST tools

KW - Weaknesses

UR - http://www.scopus.com/inward/record.url?scp=85197424319&partnerID=8YFLogxK

U2 - 10.1145/3661167.3661279

DO - 10.1145/3661167.3661279

M3 - Conference contribution

AN - SCOPUS:85197424319

T3 - ACM International Conference Proceeding Series

SP - 634

EP - 642

BT - Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024

PB - Association for Computing Machinery

T2 - 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024

Y2 - 18 June 2024 through 21 June 2024

ER -

Al-Shammare H, Al-Otaiby N, Al-Otabi M, Alshayeb M. An Empirical Investigation of the Security Weaknesses in Open-Source Projects. In Proceedings of 2024 28th International Conference on Evaluation and Assessment in Software Engineering, EASE 2024. Association for Computing Machinery. 2024. p. 634-642. (ACM International Conference Proceeding Series). doi: 10.1145/3661167.3661279

An Empirical Investigation of the Security Weaknesses in Open-Source Projects

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this