TL;DR
This study analyzes open-source Python and JavaScript projects to understand their security vulnerability mitigation practices, revealing common vulnerability types, language-specific issues, and generally slow response times to emerging security threats.
Contribution
It provides a comparative analysis of vulnerability mitigation in Python and JavaScript communities using large-scale commit data, highlighting response times and vulnerability types.
Findings
Large overlap in vulnerability types mitigated by both communities.
Most prevalent vulnerabilities are language-specific.
Response times to vulnerabilities are generally slow, with few exceptions.
Abstract
Software security is undoubtedly a major concern in today's software engineering. Although the level of awareness of security issues is often high, practical experiences show that neither preventive actions nor reactions to possible issues are always addressed properly in reality. By analyzing large quantities of commits in the open-source communities, we can categorize the vulnerabilities mitigated by the developers and study their distribution, resolution time, etc. to learn and improve security management processes and practices. With the help of the Software Heritage Graph Dataset, we investigated the commits of two of the most popular script languages -- Python and JavaScript -- projects collected from public repositories and identified those that mitigate a certain vulnerability in the code (i.e. vulnerability resolution commits). On the one hand, we identified the types of…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
