short-paper

WeakSATD: detecting weak self-admitted technical debt

Authors:

Matteo Camilli,

Moritz MockAuthors Info & Claims

MSR '22: Proceedings of the 19th International Conference on Mining Software Repositories

Pages 448 - 453

https://doi.org/10.1145/3524842.3528469

Published: 17 October 2022 Publication History

Abstract

Speeding up development may produce technical debt, i.e., not-quite-right code for which the effort to make it right increases with time as a sort of interest. Developers may be aware of the debt as they admit it in their code comments. Literature reports that such a self-admitted technical debt survives for a long time in a program, but it is not yet clear its impact on the quality of the code in the long term. We argue that self-admitted technical debt contains a number of different weaknesses that may affect the security of a program. Therefore, the longer a debt is not paid back the higher is the risk that the weaknesses can be exploited. To discuss our claim and rise the developers' awareness of the vulnerability of the self-admitted technical debt that is not paid back, we explore the self-admitted technical debt in the Chromium C-code to detect any known weaknesses. In this preliminary study, we first mine the Common Weakness Enumeration repository to define heuristics for the automatic detection and fix of weak code. Then, we parse the C-code to find self-admitted technical debt and the code block it refers to. Finally, we use the heuristics to find weak code snippets associated to self-admitted technical debt and recommend their potential mitigation to developers. Such knowledge can be used to prioritize self-admitted technical debt for repair. A prototype has been developed and applied to the Chromium code. Initial findings report that 55% of self-admitted technical debt code contains weak code of 14 different types.

References

[1]

Gabriele Bavota and Barbara Russo. 2016. A Large-scale Empirical Study on Self-admitted Technical Debt. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR '16). ACM, New York, NY, USA, 315--326.

Digital Library

[2]

Chromium. 2022. Chromium project. https://www.chromium.org/Home. Last accessed Jan. 2022.

[3]

MITRE Corporation. 2022. Federally Funded Research and Development Centers. https://www.mitre.org/. Accessed: Jan-2022.

[4]

Martin Fowler. 1999. Refactoring: Improving the Design of Existing Code. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.

Digital Library

[5]

Gianmarco Fucci, Nathan Cassee, Fiorella Zampetti, Nicole Novielli, Alexander Serebrenik, and Massimiliano Di Penta. 2021. Waiting around or job half-done? Sentiment in self-admitted technical debt. In 2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). IEEE/ACM, 403--414.

[6]

Inc. GitHub. 2022. GitHub Actions. https://github.com/features/actions. Accessed: Jan-2022.

[7]

Antonios Gkortzis, Dimitris Mitropoulos, and Diomidis Spinellis. 2018. VulinOSS: A Dataset of Security Vulnerabilities in Open-Source Systems. In Proceedings of the 15th International Conference on Mining Software Repositories, MSR 2018, Gothenburg, Sweden, May 28--29, 2018. ACM, 18--21.

Digital Library

[8]

Martina Iammarino, Fiorella Zampetti, Lerina Aversano, and Massimiliano Di Penta. 2019. Self-Admitted Technical Debt Removal and Refactoring Actions: Co-Occurrence or More?. In 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 186--190.

[9]

Yi Li, Shaohua Wang, and Tien N. Nguyen. 2021. Vulnerability Detection with Fine-Grained Interpretations. Association for Computing Machinery, New York, NY, USA, 292--303.

Digital Library

[10]

E. Lim, N. Taksande, and C. Seaman. 2012. A Balancing Act: What Software Practitioners Have to Say about Technical Debt. IEEE Software 29, 6 (Nov 2012), 22--27.

Digital Library

[11]

Zhongxin Liu, Qiao Huang, Xin Xia, Emad Shihab, David Lo, and Shanping Li. 2018. SATD Detector: A Text-Mining-Based Self-Admitted Technical Debt Detection Tool. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings. ACM, 9--12.

Digital Library

[12]

E. D. S. Maldonado, R. Abdalkareem, E. Shihab, and A. Serebrenik. 2017. An Empirical Study on the Removal of Self-Admitted Technical Debt. In 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 238--248.

[13]

Alejandro Mazuera-Rozo, Anamaria Mojica-Hanke, Mario Linares-Vásquez, and Gabriele Bavota. 2021. Shallow or Deep? An Empirical Study on Detecting Vulnerabilities using Deep Learning. In Proceedings of the 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC). IEEE/ACM, 276--287. arXiv:2103.11940 [cs.SE]

[14]

Howard Michael. 2011. Security Development Lifecycle (SDL) Banned Function Calls. http://msdn.microsoft.com/en-us/library/bb288454.aspx

[15]

Mozilla. 2022. Bugzilla. https://bugzilla.mozilla.org/show_bug.cgi?id=1106067. Accessed: Jan-2022.

[16]

Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting Vulnerable Software Components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (Alexandria, Virginia, USA) (CCS '07). Association for Computing Machinery, New York, NY, USA, 529--540.

Digital Library

[17]

Robert L. Nord, Ipek Ozkaya, Edward J. Schwartz, Forrest Shull, and Rick Kazman. 2016. Can Knowledge of Technical Debt Help Identify Software Vulnerabilities?. In Proceedings of the 9th USENIX Conference on Cyber Security Experimentation and Test (Austin, TX) (CSET'16). USENIX Association, USA, 1.

Digital Library

[18]

National Institute of Standards and Technology (NIST). 2022. Juliet test suite v1.3. https://samate.nist.gov/SRD/testsuite.php. Accessed: Jan-2022.

[19]

National Institute of Standards and Technology (NIST). 2022. National Vulnerabilities Database. https://nvd.nist.gov/. Accessed: Jan-2022.

[20]

Aniket Potdar and Emad Shihab. 2014. An Exploratory Study on Self-Admitted Technical Debt. In Proceedings of the 2014 IEEE International Conference on Software Maintenance and Evolution (ICSME '14). IEEE Computer Society, USA, 91--100.

Digital Library

[21]

Aniket Potdar and Emad Shihab. 2014. List of SATD patterns. http://users.encs.concordia.ca/~eshihab/data/ICSME2014/satd.html. Accessed: Jan-2022.

[22]

Xiaoxue Ren, Zhenchang Xing, Xin Xia, David Lo, Xinyu Wang, and John Grundy. 2019. Neural Network-Based Detection of Self-Admitted Technical Debt: From Performance to Explainability. ACM Trans. Softw. Eng. Methodol. 28, 3, Article 15 (jul 2019), 45 pages.

Digital Library

[23]

CVE repository. 2022. Common Vulnerabilities and Enumerations (CVE). https://cve.mitre.org/index.html. Accessed: Jan-2022.

[24]

CWE repository. 2022. Common Weakness Enumeration (CWE). https://cwe.mitre.org/. Accessed: Jan-2022.

[25]

Chromium repository. 2022. Federally Funded Research and Development Centers. https://github.com/chromium/chromium. Accessed: Jan-2022.

[26]

Rebecca L. Russell, Louis Kim, Lei H. Hamilton, Tomo Lazovich, Jacob A. Harer, Onur Ozdemir, Paul M. Ellingwood, and Marc W. McConley. 2018. Automated Vulnerability Detection in Source Code Using Deep Representation Learning. arXiv:1807.04320 [cs.LG]

[27]

Rebecca L. Russell, Louis Kim, Lei H. Hamilton, Tomo Lazovich, Jacob A. Harer, Onur Ozdemir, Paul M. Ellingwood, and Marc W. McConley. 2018. DRAPER VDISC dataset. https://osf.io/d45bw/wiki/home/. Accessed: Jan-2022.

[28]

Barbara Russo, Matteo Camilli, and Moritz Mock. 2022. Replication package. Accessed: Jan-2022.

[29]

A. Sabetta and M. Bezzi. 2018. A Practical Approach to the Automatic Classification of Security-Relevant Commits. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE Computer Society, Los Alamitos, CA, USA, 579--582.

[30]

Offensive security. 2022. Exploit database. https://www.exploit-db.com/. Accessed: Jan-2022.

[31]

Miltiadis Siavvas, Dimitrios Tsoukalas, Marija Jankovic, Dionysios Kehagias, Alexander Chatzigeorgiou, Dimitrios Tzovaras, Nenad Anicic, and Erol Gelenbe. 2019. An empirical evaluation of the relationship between technical debt and software security. In 9th International Conference on Information society and technology (ICIST), Vol. 2019.

[32]

Giancarlo Sierra, Emad Shihab, and Yasutaka Kamei. 2019. A survey of self-admitted technical debt. Journal of Systems and Software 152 (2019), 70--82.

Digital Library

[33]

Jeffrey Stuckman, James Walden, and Riccardo Scandariato. 2017. The Effect of Dimensionality Reduction on Software Vulnerability Prediction Models. IEEE Trans. Reliab. 66, 1 (2017), 17--37.

[34]

Cunningham Ward. 2009. Ward explains Debt Metaphor. wiki.c2.com/?WardExplainsDebtMetaphor

[35]

S. Wehaibi, E. Shihab, and L. Guerrouj. 2016. Examining the Impact of Self-Admitted Technical Debt on Software Quality. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Vol. 1. IEEE, 179--188.

[36]

Z. Yu, F. Fahid, H. Tu, and T. Menzies. 5555. Identifying Self-Admitted Technical Debts with Jitterbug: A Two-Step Approach. IEEE Transactions on Software Engineering 01 (oct 5555), 1--1.

Digital Library

[37]

Fiorella Zampetti, Alexander Serebrenik, and Massimiliano Di Penta. 2018. Was Self-admitted Technical Debt Removal a Real Removal?: An In-depth Perspective. In Proceedings of the 15th International Conference on Mining Software Repositories, MSR 2018, Gothenburg, Sweden, May 28--29, 2018 (Gothenburg, Sweden) (MSR '18). ACM, New York, NY, USA, 526--536.

Digital Library

[38]

Nico Zazworka, Michele A. Shaw, Forrest Shull, and Carolyn Seaman. 2011. Investigating the Impact of Design Debt on Software Quality. In Proceedings of the 2nd Workshop on Managing Technical Debt (Waikiki, Honolulu, HI, USA) (MTD '11). Association for Computing Machinery, New York, NY, USA, 17--23.

Digital Library

[39]

Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. μVulDeePecker: A Deep Learning-Based System for Multiclass Vulnerability Detection. IEEE Transactions on Dependable and Secure Computing 18 (2019), 2224--2236.

Digital Library

Cited By

Wang HGao ZBi TGrundy JWang XWu MYang X(2024)What Makes a Good TODO Comment?ACM Transactions on Software Engineering and Methodology10.1145/366481133:6(1-30)Online publication date: 28-Jun-2024
https://dl.acm.org/doi/10.1145/3664811
Li YSoliman MAvgeriou PSomers L(2023)Self-Admitted Technical Debt in the Embedded Systems Industry: An Exploratory Case StudyIEEE Transactions on Software Engineering10.1109/TSE.2022.322437849:4(2545-2565)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1109/TSE.2022.3224378
Butt MAjmal ZKhan ZIdrees MJaved Y(2022)An In-Depth Survey of Bypassing Buffer Overflow Mitigation TechniquesApplied Sciences10.3390/app1213670212:13(6702)Online publication date: 1-Jul-2022
https://doi.org/10.3390/app12136702

Index Terms

WeakSATD: detecting weak self-admitted technical debt
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Maintaining software

Recommendations

Do bugs foreshadow vulnerabilities? An in-depth study of the chromium project

As developers face an ever-increasing pressure to engineer secure software, researchers are building an understanding of security-sensitive bugs (i.e. vulnerabilities). Research into mining software repositories has greatly increased our understanding ...
Why Security Defects Go Unnoticed during Code Reviews?: A Case-Control Study of the Chromium OS Project
ICSE '21: Proceedings of the 43rd International Conference on Software Engineering

Peer code review has been found to be effective in identifying security vulnerabilities. However, despite practicing mandatory code reviews, many Open Source Software (OSS) projects still encounter a large number of post-release security vulnerabilities,...
Improving the effectiveness of peer code review in identifying security defects
ESEC/FSE 2021: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Prior studies found peer code review useful in identifying security defects. That is why most of the commercial and open-source software (OSS) projects embraced peer code review and mandated the use of it in the software development life cycle. However, ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MSR '22: Proceedings of the 19th International Conference on Mining Software Repositories

May 2022

815 pages

ISBN:9781450393034

DOI:10.1145/3524842

General Chair:
David Lo
Singapore Management University, Singapore
,
Program Chairs:
Shane McIntosh
University of Waterloo, Canada
,
Nicole Novielli
University of Bari, Italy

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Free University of Bozen-Bolzano

Conference

MSR '22

Sponsor:

SIGSOFT

MSR '22: 19th International Conference on Mining Software Repositories

May 23 - 24, 2022

Pennsylvania, Pittsburgh

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
131
Total Downloads

Downloads (Last 12 months)54
Downloads (Last 6 weeks)3

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang HGao ZBi TGrundy JWang XWu MYang X(2024)What Makes a Good TODO Comment?ACM Transactions on Software Engineering and Methodology10.1145/366481133:6(1-30)Online publication date: 28-Jun-2024
https://dl.acm.org/doi/10.1145/3664811
Li YSoliman MAvgeriou PSomers L(2023)Self-Admitted Technical Debt in the Embedded Systems Industry: An Exploratory Case StudyIEEE Transactions on Software Engineering10.1109/TSE.2022.322437849:4(2545-2565)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1109/TSE.2022.3224378
Butt MAjmal ZKhan ZIdrees MJaved Y(2022)An In-Depth Survey of Bypassing Buffer Overflow Mitigation TechniquesApplied Sciences10.3390/app1213670212:13(6702)Online publication date: 1-Jul-2022
https://doi.org/10.3390/app12136702
Cassee NZampetti FNovielli NSerebrenik ADi Penta M(2022)Self-Admitted Technical Debt and comments’ polarity: an empirical studyEmpirical Software Engineering10.1007/s10664-022-10183-w27:6Online publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1007/s10664-022-10183-w

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents