A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity
Software vulnerability is one of the weaknesses in computer security that challenges developers to rectify. Software maintainers rely on code comments to maintain their source code, including fixing vulnerability issues. To facilitate understanding the security issues in the related code, vulnerabil...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Croatian Communications and Information Society (CCIS)
2022-06-01
|
| Series: | Journal of Communications Software and Systems |
| Subjects: | |
| Online Access: | https://jcoms.fesb.unist.hr/10.24138/jcomss-2021-0124/ |
| _version_ | 1818213175614504960 |
|---|---|
| author | Yusuf Sulistyo Nugroho Dedi Gunawan Devi Afriyantari Puspa Putri Syful Islam Abdulaziz Alhefdhi |
| author_facet | Yusuf Sulistyo Nugroho Dedi Gunawan Devi Afriyantari Puspa Putri Syful Islam Abdulaziz Alhefdhi |
| author_sort | Yusuf Sulistyo Nugroho |
| collection | DOAJ |
| description | Software vulnerability is one of the weaknesses in computer security that challenges developers to rectify. Software maintainers rely on code comments to maintain their source code, including fixing vulnerability issues. To facilitate understanding the security issues in the related code, vulnerability identifiers are commonly included in code comments. However, not all vulnerability-related code comments describe clearly the purposes of the inclusion of the identifiers. Based on this evidence, we investigate the importance of vulnerability identifiers contained in source code comments, which is the novelty of this paper. We performed a study of 1,491 code comments that refer to vulnerability identifiers to define their categories. We then applied a mixed-method approach to classifying the types of the related repository and code, the rationale of identifier references, and the severity level of vulnerabilities in the code. The results indicate that vulnerability identifiers in code comments are useful to notify security issues for the related source code, and our study widens up chances for future work to further investigate these problems. |
| first_indexed | 2024-12-12T06:00:07Z |
| format | Article |
| id | doaj.art-af44f492a38d49918d82f1e64fd99281 |
| institution | Directory Open Access Journal |
| issn | 1845-6421 1846-6079 |
| language | English |
| last_indexed | 2024-12-12T06:00:07Z |
| publishDate | 2022-06-01 |
| publisher | Croatian Communications and Information Society (CCIS) |
| record_format | Article |
| series | Journal of Communications Software and Systems |
| spelling | doaj.art-af44f492a38d49918d82f1e64fd992812022-12-22T00:35:28ZengCroatian Communications and Information Society (CCIS)Journal of Communications Software and Systems1845-64211846-60792022-06-0118216517410.24138/jcomss-2021-0124A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and SeverityYusuf Sulistyo NugrohoDedi GunawanDevi Afriyantari Puspa PutriSyful IslamAbdulaziz AlhefdhiSoftware vulnerability is one of the weaknesses in computer security that challenges developers to rectify. Software maintainers rely on code comments to maintain their source code, including fixing vulnerability issues. To facilitate understanding the security issues in the related code, vulnerability identifiers are commonly included in code comments. However, not all vulnerability-related code comments describe clearly the purposes of the inclusion of the identifiers. Based on this evidence, we investigate the importance of vulnerability identifiers contained in source code comments, which is the novelty of this paper. We performed a study of 1,491 code comments that refer to vulnerability identifiers to define their categories. We then applied a mixed-method approach to classifying the types of the related repository and code, the rationale of identifier references, and the severity level of vulnerabilities in the code. The results indicate that vulnerability identifiers in code comments are useful to notify security issues for the related source code, and our study widens up chances for future work to further investigate these problems.https://jcoms.fesb.unist.hr/10.24138/jcomss-2021-0124/code commentsidentifiervulnerability |
| spellingShingle | Yusuf Sulistyo Nugroho Dedi Gunawan Devi Afriyantari Puspa Putri Syful Islam Abdulaziz Alhefdhi A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity Journal of Communications Software and Systems code comments identifier vulnerability |
| title | A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity |
| title_full | A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity |
| title_fullStr | A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity |
| title_full_unstemmed | A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity |
| title_short | A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity |
| title_sort | study of vulnerability identifiers in code comments source purpose and severity |
| topic | code comments identifier vulnerability |
| url | https://jcoms.fesb.unist.hr/10.24138/jcomss-2021-0124/ |
| work_keys_str_mv | AT yusufsulistyonugroho astudyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT dedigunawan astudyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT deviafriyantaripuspaputri astudyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT syfulislam astudyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT abdulazizalhefdhi astudyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT yusufsulistyonugroho studyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT dedigunawan studyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT deviafriyantaripuspaputri studyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT syfulislam studyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity AT abdulazizalhefdhi studyofvulnerabilityidentifiersincodecommentssourcepurposeandseverity |