Process-based Indicators of Vulnerability Re-Introducing Code Changes: An Exploratory Case Study

TL;DR

This study explores how process metrics like team stability and issue management can predict the reintroduction of vulnerabilities in software, emphasizing the importance of analyzing development activities over time.

Contribution

It introduces a process-based approach to understanding vulnerability re-emergence, moving beyond code-level analysis to include socio-technical factors and commit sequences.

Findings

Reintroduction correlates with increased issue spoilage.

Fluctuating issue density indicates short-term inefficiencies.

Longitudinal process metrics can help predict risky fixes.

Abstract

Software vulnerabilities often persist or re-emerge even after being fixed, revealing the complex interplay between code evolution and socio-technical factors. While source code metrics provide useful indicators of vulnerabilities, software engineering process metrics can uncover patterns that lead to their introduction. Yet few studies have explored whether process metrics can reveal risky development activities over time -- insights that are essential for anticipating and mitigating software vulnerabilities. This work highlights the critical role of process metrics along with code changes in understanding and mitigating vulnerability reintroduction. We move beyond file-level prediction and instead analyze security fixes at the commit level, focusing not only on whether a single fix introduces a vulnerability but also on the longer sequences of changes through which vulnerabilities evolve and re-emerge. Our approach emphasizes that reintroduction is rarely the result of one isolated action, but emerges from cumulative development activities and socio-technical conditions. To support this analysis, we conducted a case study on the ImageMagick project by correlating longitudinal process metrics such as bus factor, issue density, and issue spoilage with vulnerability reintroduction activities, encompassing 76 instances of reintroduced vulnerabilities. Our findings show that reintroductions often align with increased issue spoilage and fluctuating issue density, reflecting short-term inefficiencies in issue management and team responsiveness. These observations provide a foundation for broader studies that combine process and code metrics to predict risky fixes and strengthen software security.