Skip to main content

Research Repository

Advanced Search

An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples

Verdi, Morteza; Sami, Ashkan; Akhondali, Jafar; Khomh, Foutse; Uddin, Gias; Karami Motlagh, Alireza

Authors

Morteza Verdi

Ashkan Sami

Jafar Akhondali

Foutse Khomh

Gias Uddin

Alireza Karami Motlagh



Abstract

Software developers share programming solutions in Q&A sites like Stack Overflow, Stack Exchange, Android forum, and so on. The reuse of crowd-sourced code snippets can facilitate rapid prototyping. However, recent research shows that the shared code snippets may be of low quality and can even contain vulnerabilities. This paper aims to understand the nature and the prevalence of security vulnerabilities in crowd-sourced code examples. To achieve this goal, we investigate security vulnerabilities in the C++ code snippets shared on Stack Overflow over a period of 10 years. In collaborative sessions involving multiple human coders, we manually assessed each code snippet for security vulnerabilities following CWE (Common Weakness Enumeration) guidelines. From the 72,483 reviewed code snippets used in at least one project hosted on GitHub, we found a total of 99 vulnerable code snippets categorized into 31 types. Many of the investigated code snippets are still not corrected on Stack Overflow. The 99 vulnerable code snippets found in Stack Overflow were reused in a total of 2859 GitHub projects. To help improve the quality of code snippets shared on Stack Overflow, we developed a browser extension that allows Stack Overflow users to be notified for vulnerabilities in code snippets when they see them on the platform.

Citation

Verdi, M., Sami, A., Akhondali, J., Khomh, F., Uddin, G., & Karami Motlagh, A. (2022). An Empirical Study of C++ Vulnerabilities in Crowd-Sourced Code Examples. IEEE Transactions on Software Engineering, 48(5), 1497-1514. https://doi.org/10.1109/tse.2020.3023664

Journal Article Type Article
Acceptance Date Sep 6, 2020
Online Publication Date Sep 11, 2020
Publication Date May 1, 2022
Deposit Date Dec 2, 2022
Journal IEEE Transactions on Software Engineering
Print ISSN 0098-5589
Electronic ISSN 1939-3520
Publisher Institute of Electrical and Electronics Engineers
Peer Reviewed Not Peer Reviewed
Volume 48
Issue 5
Pages 1497-1514
DOI https://doi.org/10.1109/tse.2020.3023664
Keywords Software Engineering, Vulnerability migration, C++
Public URL http://researchrepository.napier.ac.uk/Output/2969226
Publisher URL https://ieeexplore.ieee.org/abstract/document/9195034