Context
The security of a software project relies not only on the success of the vulnerability discovery but also on the success of the vulnerability remediation
- multiple commits are needed to fix a vulnerability and not all fixes completely solve the issue
- identify the issue but not being sure that the issue is solved, can create a false sense of security
Proposal Sequza: a novel tool to automatically analyze commits responsible for introducing or to fix vulnerabilities. The proposal is language agnostic
- Sequza is a visualization tool to help visualizing security issues
Results 90% of the 130 projects analyzed include commits that introduce new vulnerabilities 1 out of 6 times instead of fixing one
- 78% of these introduced vulnerabilities could have been prevented if the developer had used a scanning/analyzing tool
- the tool is capable of creating a prioritization score to help developers prioritize the issues to fix:
- severity score: based on the OWASP (Open Web Application Security Project) top 10 list
- sibling score: measure the density of the vulnerability (for instance, how many methods of a class are vulnerable. Higher the number, higher the score)
- intro+fix score: if new vulnerabilities are introduced upon fixing existing vulnerabilities, it shows that the remediation process has failed. These issues have higher priority
- lifetime score: historical bugs have higher priority
Approach
- 130 GitHub projects with at least 500 commits were selected
- CodeQL and GitHub API were used to get commit metadata and to analyze the committed code