The Impact of Software Maintenance on Security

Abstract—Security is always measured through factors such as code churn, and other factors, but how can software maintenance impact security. This paper explores the relationship between Bug Closure time (Maintenance), and Defect Density (Security) to establish whether better maintained projects have a higher level of security. CVEs from all projects are captured to calculate Defect Density and Bugs are found from a handful of low level, high impact infrastructure projects to compare these variables and make a determination on whether they are correlated or not.

Paper Link

This repository contains the code for the research project on Software Maintanence vs. Defect Density.

To install, you need Python 3.8 or higher. You can install the required packages using pip:

pip install -r requirements.txt

Generate a Gitlab and GitHub token with the necessary permissions to access the repositories you want to analyze. You can do this in your account settings on Gitlab and GitHub.

Set the environment variables for the Gitlab and GitHub tokens. You can do this in your terminal or by adding them to your .bashrc or .zshrc file:

export GITLAB_TOKEN=your_gitlab_token
export GITHUB_TOKEN=your_github_token

To run the CVE fetcher, use the following command:

python cve_fetcher.py

To run the issue fetcher, use the following command: NOTE: You will need to edit the issue_fetcher.py with your cookies while logged into Apache Bugzilla. You can do this with any extension such as cookie.txt for Firefox.

python issue_fetcher.py

To run the data analysis, use the following command:

python calculate_stats.py

This expects an all_data.csv file in the same directory. This includes all bugs and CVEs fetched from the previous steps. As mentioned in the paper it does require some manual work to clean the data and remove duplicates. You can do this with Excel or any other spreadsheet software. Just make sure to save the cleaned data as all_data.csv in the same directory as calculate_stats.py.

You will also need to edit the calculate_stats.py file with the Source Lines of Code (SLOC) for each project. This is necessary to calculate the defect density. To do this you can use a tool like cloc. After cloning the repositories, you can run the following command to get the SLOC for each project:

cloc ./repo_directory --include-lang=C,C++,"C/C++ Header"

Sample data is included in the cve_final.xlsx for reference. This also includes the SLOC for each project. You can use this as a reference to fill in the SLOC for the projects you are analyzing.