Exploring the Security Awareness of the Python and JavaScript Open Source Communities

by   Gábor Antal, et al.

Software security is undoubtedly a major concern in today's software engineering. Although the level of awareness of security issues is often high, practical experiences show that neither preventive actions nor reactions to possible issues are always addressed properly in reality. By analyzing large quantities of commits in the open-source communities, we can categorize the vulnerabilities mitigated by the developers and study their distribution, resolution time, etc. to learn and improve security management processes and practices. With the help of the Software Heritage Graph Dataset, we investigated the commits of two of the most popular script languages – Python and JavaScript – projects collected from public repositories and identified those that mitigate a certain vulnerability in the code (i.e. vulnerability resolution commits). On the one hand, we identified the types of vulnerabilities (in terms of CWE groups) referred to in commit messages and compared their numbers within the two communities. On the other hand, we examined the average time elapsing between the publish date of a vulnerability and the first reference to it in a commit. We found that there is a large intersection in the vulnerability types mitigated by the two communities, but most prevalent vulnerabilities are specific to language. Moreover, neither the JavaScript nor the Python community reacts very fast to appearing security vulnerabilities in general with only a couple of exceptions for certain CWE groups.


page 1

page 2

page 3

page 4


The Impact of a Major Security Event on an Open Source Project: The Case of OpenSSL

Context: The Heartbleed vulnerability brought OpenSSL to international a...

An Exploratory Study into Vulnerability Chaining Blindness Terminology and Viability

To tie together the concepts of linkage blindness and the inability to l...

A ground-truth dataset of real security patches

Training machine learning approaches for vulnerability identification an...

Exploring Security Commits in Python

Python has become the most popular programming language as it is friendl...

An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems

Vulnerability management strategy, from both organizational and public p...

Learning to Identify Security-Related Issues Using Convolutional Neural Networks

Software security is becoming a high priority for both large companies a...

Learning to Identify Security-RelatedIssues Using Convolutional Neural Networks

Software security is becoming a high priority for both large companies a...

Please sign up or login with your details

Forgot password? Click here to reset