Method-Level Data in GitHub Pull Request Descriptions

Effects on Developers' Prioritization and Facilitation of Fixing Vulnerable Dependencies

Bachelor thesis (2021)

Authors

T.A. Popovici Electrical Engineering, Mathematics and Computer Science

Contributors

M. Keshani Software Engineering - EEMCS (supervisor 1)
S. Proksch Software Engineering - EEMCS (supervisor 1)
A Katsifodimos Web Information Systems - EEMCS (supervisor 2)
Faculty
Electrical Engineering, Mathematics and Computer Science
Copyright: © 2021 Tudor Popovici
Dependency Analysis GitHub Package-Level Method-Level Vulnerability Dependabot Pull Requests Dependency Dependant
More Info
expand_more

Published Date

02-07-2021

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Modern software development involves the usage of external third-party software projects as direct dependencies. Nonetheless, developers of a dependant project have no control over critical aspects such as development and testing of the dependency. This can put the reliant repositories at risk through vulnerabilities, which can be exploited by malicious attackers. Automated dependency maintenance tools can mitigate the risks, but have an observed shortcoming: they have decreased vulnerability detection accuracies due to their package-level analysis approach.
In this study, a total of 6.717 active projects hosted on GitHub have been analysed using a method-level vulnerability analysis, discovering 24 projects affected by 4 distinct exposures. The developers have been notified through GitHub Pull Requests, which contained the methods in their projects that called vulnerable dependency methods. This was done with the aim of finding answers to: (i) whether the provided method call information makes developers prioritize the task of fixing vulnerabilities, (ii) whether the fine-grained information facilitates the exposures handling process.
Developers' reactions to the method-level data were collected through means of a survey. Collected data revealed that the fine-grained information in the PRs did have a positive effect on the developers' prioritization of fixing the vulnerable dependencies. Moreover, the provided data also facilitated the maintainers' fix process to some extent. However, due to the limited amount of recorded responses, the answer to the research question could not be concluded.