Software reuse cuts both ways:An empirical analysis of its relationship with security vulnerabilities

Software reuse is a widely adopted practice among both researchers and practitioners. The relation between security and reuse can go both ways: a system can become more secure by relying on mature dependencies, or more insecure by exposing a larger attack surface via exploitable dependencies. To follow up on a previous study and shed more light on this subject, we further examine the association between software reuse and security threats. In particular, we empirically investigate 1244 open-source projects in a multiple-case study to explore and discuss the distribution of security vulnerabilities between the code created by a development team and the code reused through dependencies. For that, we consider both potential vulnerabilities, as assessed through static analysis, and disclosed vulnerabilities, reported in public databases. The results suggest that larger projects in size are associated with an increase on the amount of potential vulnerabilities in both native and reused code. Moreover, we found a strong correlation between a higher number of dependencies and vulnerabilities. Based on our empirical investigation, it appears that source code reuse is neither a silver bullet to combat vulnerabilities nor a frightening werewolf that entail an excessive number of them

An Embedded Multiple-Case Study on OSS Design Quality Assessment across Domains

Context: Investing on Open Source Software (OSS) as a “code reuser”, involves certain risks, such as the difficulty in understanding the level of OSS design quality Aim: We investigate the levels of design quality of OSS projects, across different application domains. Method: We conducted a case study, which is the most fitting research method for observing a phenomenon in its real context, which is active for a long period of time, and for which variables cannot be controlled. Results: We present the values for seven design quality metrics of 546 OSS projects, as well as the statistically significant differences across application domains. Conclusions: The results of the study suggest that OSS application domains correlate with several design quality characteristics, in the sense that projects within one application domain appear to have similar levels of design quality. In addition to that, the results reveal application domains with high and low levels of design quality.

A methodology on extracting reusable software candidate components from open source games

Component-Based Software Engineering (CBSE) focuses on thedevelopment of reusable components in order to enable their reusein more systems, rather than only to be used to the original onesfor which they have been implemented in the first place (i.e.development for reuse) and the development of new systems withreusable components (i.e. development with reuse). This paperaims at introducing a methodology for the extraction of candidatereusable software components from open source games. Theextracted components have been empirically evaluated through acase study. Additionally, the component candidates that have beenextracted are available for reuse through a web service

Dataset: Security vulnerabilities in open-source reused systems

This dataset comprise 2017 Java projects. It contains information related to their external dependencies and its potential and disclosed security vulnerabilities. The potential vulnerabilities were detected with the use of the SpotBugs static analyzer tool, while the disclosed ones with the use of OWASP Dependency Check tool. This dataset was generated during a research effort to correlate software reuse to security vulnerabilities. The scripts for reproducing the dataset and analyzing it are available on GitHub under this link [https://github.com/AntonisGkortzis/Vulnerabilities-in-Reused-Software]

CODE reuse in practice:Benefiting or harming technical debt

During the last years the TD community is striving to offer methods and tools for reducing the amount of TD, but also understand the underlying concepts. One popular practice that still has not been investigated in the context of TD, is software reuse. The aim of this paper is to investigate the relation between white-box code reuse and TD principal and interest. In particular, we target at unveiling if the reuse of code can lead to software with better levels of TD. To achieve this goal, we performed a case study on approximately 400 OSS systems, comprised of 897 thousand classes, and compare the levels of TD for reused and natively-written classes. The results of the study suggest that reused code usually has less TD interest; however, the amount of principal in them is higher. A synthesized view of the aforementioned results suggest that software engineers shall opt to reuse code when necessary, since apart from the established reuse benefits (i.e., cost savings, increased productivity, etc.) are also getting benefits in terms of maintenance. Apart from understanding the phenomenon per se, the results of this study provide various implications to research and practice

Identifying Extract Method Refactoring Opportunities Based on Functional Relevance

`Extract Method' is considered one of the most frequently applied and beneficial refactorings, since the corresponding Long Method smell is among the most common and persistent ones. Although Long Method is conceptually related to the implementation of diverse functionalities within a method, until now, this relationship has not been utilized while identifying refactoring opportunities. In this paper we introduce an approach (accompanied by a tool) that aims at identifying source code chunks that collaborate to provide a specific functionality, and propose their extraction as separate methods. The accuracy of the proposed approach has been empirically validated both in an industrial and an open-source setting. In the former case, the approach was capable of identifying functionally related statements within two industrial long methods (approx. 500 LoC each), with a recall rate of 93 percent. In the latter case, based on a comparative study on open-source data, our approach ranks better compared to two well-known techniques of the literature. To assist software engineers in the prioritization of the suggested refactoring opportunities the approach ranks them based on an estimate of their fitness for extraction. The provided ranking has been validated in both settings and proved to be strongly correlated with experts' opinion

Dataset: Potential security vulnerabilities in open-source reused systems

This dataset comprise 301 Java projects. It contains information related to their external dependencies and its potential security vulnerabilities. It was generated during a research effort to correlate software reuse to security vulnerabilities. The scripts for reproducing the dataset are available on GitHub under this link [https://github.com/AntonisGkortzis/Vulnerabilities-in-Reused-Software]

Security vulnerabilities in open-source reused systems

This dataset comprise 2017 Java projects. It contains information related to their external dependencies and its  potential and disclosed security vulnerabilities. The potential vulnerabilities were detected with the use of the SpotBugs static analyzer tool, while the disclosed ones with the use of OWASP Dependency Check tool.. This dataset was generated during a research effort to correlate software reuse to security vulnerabilities. The scripts for reproducing the dataset and analyzing it are available on GitHub under this link [https://github.com/AntonisGkortzis/Vulnerabilities-in-Reused-Software]