An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples

TL;DR

This study analyzes 72,483 C++ code snippets from Stack Overflow over 10 years, revealing 69 vulnerabilities across 29 CWE categories, many of which are reused in thousands of GitHub projects, highlighting the need for better vulnerability detection.

Contribution

The paper provides the first large-scale empirical analysis of security vulnerabilities in crowd-sourced C++ code snippets and introduces a browser extension for vulnerability checking.

Findings

69 vulnerable snippets found in 72,483 analyzed

Vulnerable snippets reused in 2,859 GitHub projects

Many vulnerabilities remain uncorrected on Stack Overflow

Abstract

Software developers share programming solutions in Q&A sites like Stack Overflow. The reuse of crowd-sourced code snippets can facilitate rapid prototyping. However, recent research shows that the shared code snippets may be of low quality and can even contain vulnerabilities. This paper aims to understand the nature and the prevalence of security vulnerabilities in crowd-sourced code examples. To achieve this goal, we investigate security vulnerabilities in the C++ code snippets shared on Stack Overflow over a period of 10 years. In collaborative sessions involving multiple human coders, we manually assessed each code snippet for security vulnerabilities following CWE (Common Weakness Enumeration) guidelines. From the 72,483 reviewed code snippets used in at least one project hosted on GitHub, we found a total of 69 vulnerable code snippets categorized into 29 types. Many of the investigated code snippets are still not corrected on Stack Overflow. The 69 vulnerable code snippets found in Stack Overflow were reused in a total of 2859 GitHub projects. To help improve the quality of code snippets shared on Stack Overflow, we developed a browser extension that allow Stack Overflow users to check for vulnerabilities in code snippets when they upload them on the platform.