Izvorni znanstveni članak

https://doi.org/10.24138/jcomss-2021-0124

A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity

Yusuf Sulistyo Nugroho orcid.org/0000-0001-6391-0851 ; Universitas Muhammadiyah Surakarta, Indonesia
Dedi Gunawan ; Universitas Muhammadiyah Surakarta, Indonesia
Devi Afriyantari Puspa Putri ; Universitas Muhammadiyah Surakarta, Indonesia
Syful Islam ; Noakhali Science and Technology University, Bangladesh
Abdulaziz Alhefdhi ; Prince Sattam Bin Abdulaziz University, Saudi Arabia

Sažetak

Software vulnerability is one of the weaknesses in computer security that challenges developers to rectify. Software maintainers rely on code comments to maintain their source code, including fixing vulnerability issues. To facilitate understanding the security issues in the related code, vulnerability identifiers are commonly included in code comments. However, not all vulnerability-related code comments describe clearly the purposes of the inclusion of the identifiers. Based on this evidence, we investigate the importance of vulnerability identifiers contained in source code comments, which is the novelty of this paper. We performed a study of 1,491 code comments that refer to vulnerability identifiers to define their categories. We then applied a mixed-method approach to classifying the types of the related repository and code, the rationale of identifier references, and the severity level of vulnerabilities in the code. The results indicate that vulnerability identifiers in code comments are useful to notify security issues for the related source code, and our study widens up chances for future work to further investigate these problems.

Ključne riječi

code comments; identifier; vulnerability

Hrčak ID:

277968

URI

https://hrcak.srce.hr/277968

Datum izdavanja:

30.6.2022.

Posjeta: 592 *