906 lines
49 KiB
Clojure
906 lines
49 KiB
Clojure
{:highlights [{:id #uuid "657b0337-6189-4b88-828a-a4e41e886c07",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.22917175292969,
|
||
:y1 517.03125,
|
||
:x2 627.5102996826172,
|
||
:y2 561.6771240234375,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 114.22917175292969,
|
||
:y1 517.03125,
|
||
:x2 627.5102996826172,
|
||
:y2 538.3646240234375,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 540.34375,
|
||
:x2 470.45664978027344,
|
||
:y2 561.6771240234375,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "This work investigates the security implications of SATD from a technical and developer-centred perspective."},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657b034a-6da8-4c4e-9589-da4b20a0d5bc",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.10417175292969,
|
||
:y1 540.34375,
|
||
:x2 630.6959075927734,
|
||
:y2 631.96875,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 618.5191040039062,
|
||
:y1 540.34375,
|
||
:x2 627.461669921875,
|
||
:y2 561.6771240234375,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 563.8333740234375,
|
||
:x2 627.4716033935547,
|
||
:y2 585.1666870117188,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 587.1458740234375,
|
||
:x2 630.6959075927734,
|
||
:y2 608.4791870117188,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.10417175292969,
|
||
:y1 610.6354370117188,
|
||
:x2 402.02879333496094,
|
||
:y2 631.96875,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "it analyses whether security pointers disclosed inside SATD sources can be used to characterise vulnerabilities in Open-Source Software (OSS) projects and repositories"},
|
||
:properties {:color "purple"}}
|
||
{:id #uuid "657b035f-880e-400d-b6bc-52cfc54836df",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.76042175292969,
|
||
:y1 610.6354370117188,
|
||
:x2 627.5328369140625,
|
||
:y2 678.59375,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 563.0949096679688,
|
||
:y1 610.6354370117188,
|
||
:x2 627.5328369140625,
|
||
:y2 631.96875,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 633.9479370117188,
|
||
:x2 626.8239593505859,
|
||
:y2 655.28125,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 657.2604370117188,
|
||
:x2 625.4587249755859,
|
||
:y2 678.59375,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "it delves into developers’ perspectives regarding the motivations behind this practice, its prevalence, and its potential negative consequences"},
|
||
:properties {:color "purple"}}
|
||
{:id #uuid "657b037c-e116-4902-af66-9151ee9ac98e",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.76042175292969,
|
||
:y1 704.0625,
|
||
:x2 627.5103607177734,
|
||
:y2 748.71875,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 165.97483825683594,
|
||
:y1 704.0625,
|
||
:x2 627.5103607177734,
|
||
:y2 725.3958740234375,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 727.3854370117188,
|
||
:x2 188.72341918945312,
|
||
:y2 748.71875,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "analysis of a preexisting dataset containing 94,455 SATD instances"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657b0383-b5ac-4672-a89d-3fa8c3dcdf15",
|
||
:page 1,
|
||
:position {:bounding {:x1 271.4266357421875,
|
||
:y1 727.3854370117188,
|
||
:x2 591.58349609375,
|
||
:y2 748.71875,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 271.4266357421875,
|
||
:y1 727.3854370117188,
|
||
:x2 591.58349609375,
|
||
:y2 748.71875,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text " online survey with 222 OSS practitioners"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657b03d6-fc1a-4889-9316-a0048d186dcf",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.22917175292969,
|
||
:y1 750.8646240234375,
|
||
:x2 627.5078125,
|
||
:y2 819,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 164.0858154296875,
|
||
:y1 750.8646240234375,
|
||
:x2 627.5078125,
|
||
:y2 772.1979370117188,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 774.1875,
|
||
:x2 627.4780120849609,
|
||
:y2 795.5208740234375,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.22917175292969,
|
||
:y1 797.6666870117188,
|
||
:x2 254.36236572265625,
|
||
:y2 819,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "We gathered 201 SATD instances through the dataset analysis and mapped them to different Common Weakness Enumeration(CWE) identifiers. "},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657b03f5-da8f-43b9-b6f9-f9dd4ac56d3a",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.76042175292969,
|
||
:y1 797.6666870117188,
|
||
:x2 630.3765106201172,
|
||
:y2 889.125,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 318.6688537597656,
|
||
:y1 797.6666870117188,
|
||
:x2 627.5242919921875,
|
||
:y2 819,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 820.9896240234375,
|
||
:x2 627.4748382568359,
|
||
:y2 842.3229370117188,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 844.3021240234375,
|
||
:x2 630.3765106201172,
|
||
:y2 865.6354370117188,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 867.7916870117188,
|
||
:x2 214.3110809326172,
|
||
:y2 889.125,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "25 different types of CWEs were spotted across commit messages, pull requests, code comments, and issue sections, from which 8 appear among MITRE’s Top-25 most dangerous ones"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657b0418-e290-4295-b8ea-881eb58074ad",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.76042175292969,
|
||
:y1 867.7916870117188,
|
||
:x2 629.5842132568359,
|
||
:y2 959.2396240234375,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 224.0298309326172,
|
||
:y1 867.7916870117188,
|
||
:x2 627.1461029052734,
|
||
:y2 889.125,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 891.1041870117188,
|
||
:x2 627.9604339599609,
|
||
:y2 912.4375,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 914.4166870117188,
|
||
:x2 629.5842132568359,
|
||
:y2 935.75,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 937.90625,
|
||
:x2 282.4364013671875,
|
||
:y2 959.2396240234375,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text "The survey shows that software practitioners often place security pointers across SATD artefacts to promote a security culture among their peers and help them spot flaky code sections, among other motives."},
|
||
:properties {:color "yellow"}}
|
||
{:id #uuid "657b046c-1931-43c5-a9bc-86d76e4e5c78",
|
||
:page 1,
|
||
:position {:bounding {:x1 114.76042175292969,
|
||
:y1 961.21875,
|
||
:x2 627.9556732177734,
|
||
:y2 1052.6771240234375,
|
||
:width 1305.6,
|
||
:height 1689.6},
|
||
:rects ({:x1 592.866943359375,
|
||
:y1 961.21875,
|
||
:x2 627.62060546875,
|
||
:y2 982.5521240234375,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 984.5416870117188,
|
||
:x2 627.9556732177734,
|
||
:y2 1005.875,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 1008.0208740234375,
|
||
:x2 627.4692230224609,
|
||
:y2 1029.354248046875,
|
||
:width 1305.6,
|
||
:height 1689.6}
|
||
{:x1 114.76042175292969,
|
||
:y1 1031.34375,
|
||
:x2 589.8331146240234,
|
||
:y2 1052.6771240234375,
|
||
:width 1305.6,
|
||
:height 1689.6}),
|
||
:page 1},
|
||
:content {:text " Our findings suggest that preserving the contextual integrity of security pointers disseminated across SATD artefacts is critical to safeguard both commercial and OSS solutions against zero-day attacks."},
|
||
:properties {:color "yellow"}}
|
||
{:id #uuid "657dc10b-c38b-4a52-b157-494912c8d7c5",
|
||
:page 1,
|
||
:position {:bounding {:x1 550.546875,
|
||
:y1 410.96875,
|
||
:x2 967.6505126953125,
|
||
:y2 447.5546875,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 753.9152221679688,
|
||
:y1 410.96875,
|
||
:x2 967.6505126953125,
|
||
:y2 428.46875,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 550.546875,
|
||
:y1 430.0546875,
|
||
:x2 848.4317626953125,
|
||
:y2 447.5546875,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text "circumvent with spurious design workarounds and sub-optimal implementations"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc119-1283-4d18-a8eb-7ef4e1eaaa4b",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 468.078125,
|
||
:x2 970.3164672851562,
|
||
:y2 504.5234375,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 634.2393188476562,
|
||
:y1 468.078125,
|
||
:x2 970.3164672851562,
|
||
:y2 485.578125,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 487.0234375,
|
||
:x2 903.294189453125,
|
||
:y2 504.5234375,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text " low-quality artefacts that can impair the future maintenance and evolution of the system being developed"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc13b-c9f7-4126-b876-5ad92d0bbc4f",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 544,
|
||
:x2 970.0072631835938,
|
||
:y2 580.4375,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 739.9590454101562,
|
||
:y1 544,
|
||
:x2 970.0072631835938,
|
||
:y2 561.5,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 562.9375,
|
||
:x2 782.6049194335938,
|
||
:y2 580.4375,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text " TD can incur extra work in the longterm, not to mention additional costs."},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc145-ed1e-4fea-b3d7-f08c4c30fe94",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 562.9375,
|
||
:x2 967.6495361328125,
|
||
:y2 618.46875,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 831.4208984375,
|
||
:y1 562.9375,
|
||
:x2 967.6441040039062,
|
||
:y2 580.4375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 582.0234375,
|
||
:x2 967.6495361328125,
|
||
:y2 599.5234375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 600.96875,
|
||
:x2 844.7333984375,
|
||
:y2 618.46875,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text " it is deemed a critical issue for software development and considered ubiquitous to most software projects across all industry segments"},
|
||
:properties {:color "purple"}}
|
||
{:id #uuid "657dc170-7bea-4bff-bae2-a4de42595c02",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 705.4375,
|
||
:x2 967.64892578125,
|
||
:y2 760.9609375,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 800.6972045898438,
|
||
:y1 705.4375,
|
||
:x2 967.39697265625,
|
||
:y2 722.9375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 724.515625,
|
||
:x2 967.64892578125,
|
||
:y2 742.015625,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 743.4609375,
|
||
:x2 847.0096435546875,
|
||
:y2 760.9609375,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text "security incurs extra costs as it is frequently seen as an “after-thought” instead of an actual priority in the software development life cycle"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc187-f390-45fe-986f-312a1ccc2ab6",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 762.40625,
|
||
:x2 967.3717041015625,
|
||
:y2 798.9921875,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 805.4207763671875,
|
||
:y1 762.40625,
|
||
:x2 967.3717041015625,
|
||
:y2 779.90625,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 781.4921875,
|
||
:x2 631.2735595703125,
|
||
:y2 798.9921875,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text " intersection between TD and security"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc1ad-caf0-4cff-8619-2ae58d6fbd8a",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 895.4296875,
|
||
:x2 969.2659912109375,
|
||
:y2 950.9609375,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 580.91455078125,
|
||
:y1 895.4296875,
|
||
:x2 969.2659912109375,
|
||
:y2 912.9296875,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 914.375,
|
||
:x2 967.6387329101562,
|
||
:y2 931.875,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 933.4609375,
|
||
:x2 751.0281982421875,
|
||
:y2 950.9609375,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text "significant part of TD is explicitly reported by developers themselves in the form of “self-admissions”, namely through software artefacts such as code comments"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc1e2-9695-46ff-b97d-1149ee389da5",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 1047.3984375,
|
||
:x2 970.2335205078125,
|
||
:y2 1140.8203125,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 890.374267578125,
|
||
:y1 1047.3984375,
|
||
:x2 969.359375,
|
||
:y2 1064.8984375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 1066.34375,
|
||
:x2 970.207275390625,
|
||
:y2 1083.84375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 1085.4296875,
|
||
:x2 967.5057373046875,
|
||
:y2 1102.9296875,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 1105.609375,
|
||
:x2 970.2335205078125,
|
||
:y2 1123.109375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 1123.3203125,
|
||
:x2 876.2894897460938,
|
||
:y2 1140.8203125,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text "Particularly, an attacker could take advantage of security pointers disclosed inside these sources (e.g., a code comment like “TODO: Make it thread-safe”) to spot exploitable weaknesses in the system threatening its availability, confidentiality and integrity. "},
|
||
:properties {:color "purple"}}
|
||
{:id #uuid "657dc427-af89-4c6b-bce5-4cb9d1a4c390",
|
||
:page 1,
|
||
:position {:bounding {:x1 551.078125,
|
||
:y1 1142.3984375,
|
||
:x2 967.6470947265625,
|
||
:y2 1197.7890625,
|
||
:width 1060.8,
|
||
:height 1372.8},
|
||
:rects ({:x1 721.1380615234375,
|
||
:y1 1142.3984375,
|
||
:x2 967.6424560546875,
|
||
:y2 1159.8984375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 1161.34375,
|
||
:x2 967.6470947265625,
|
||
:y2 1178.84375,
|
||
:width 1060.8,
|
||
:height 1372.8}
|
||
{:x1 551.078125,
|
||
:y1 1180.2890625,
|
||
:x2 682.3818359375,
|
||
:y2 1197.7890625,
|
||
:width 1060.8,
|
||
:height 1372.8}),
|
||
:page 1},
|
||
:content {:text " the security implications of SATD have not been investigated nor documented throughout the literature up to our knowledge"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc6fb-e377-4918-99cb-750ab2872eaa",
|
||
:page 2,
|
||
:position {:bounding {:x1 107.5859375,
|
||
:y1 193.0078125,
|
||
:x2 588.353759765625,
|
||
:y2 235.03125,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 130.5911865234375,
|
||
:y1 193.0078125,
|
||
:x2 588.353759765625,
|
||
:y2 213.0078125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 215.03125,
|
||
:x2 227.69491577148438,
|
||
:y2 235.03125,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text " implications of security pointers inside SATD instances across multiple sources"},
|
||
:properties {:color "purple"}}
|
||
{:id #uuid "657dc710-9843-4cbd-ac68-61370542bd06",
|
||
:page 2,
|
||
:position {:bounding {:x1 106.9765625,
|
||
:y1 215.03125,
|
||
:x2 591.3734130859375,
|
||
:y2 300.765625,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 432.4708557128906,
|
||
:y1 215.03125,
|
||
:x2 591.3734130859375,
|
||
:y2 235.03125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 236.890625,
|
||
:x2 590.332275390625,
|
||
:y2 256.890625,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 258.75,
|
||
:x2 588.356689453125,
|
||
:y2 278.75,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 106.9765625,
|
||
:y1 280.765625,
|
||
:x2 459.8996887207031,
|
||
:y2 300.765625,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "whether explicit references to security vulnerabilities inside code comments, commits, issue reports, and pull requests can help characterise exploitable weaknesses inside Open-Source Software (OSS"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc74f-1a59-490f-89d9-dd3bd5143987",
|
||
:page 2,
|
||
:position {:bounding {:x1 107.5859375,
|
||
:y1 302.625,
|
||
:x2 588.35498046875,
|
||
:y2 366.5,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 167.35498046875,
|
||
:y1 302.625,
|
||
:x2 588.35498046875,
|
||
:y2 322.625,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 324.484375,
|
||
:x2 588.34912109375,
|
||
:y2 344.484375,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 346.5,
|
||
:x2 260.7581787109375,
|
||
:y2 366.5,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text " OSS projects and repositories as they become easy targets of security attacks by making their artefacts visible and available to the public in general "},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc794-12d3-4c51-91b8-77e5a5ef87d4",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 416.0390625,
|
||
:x2 590.2296142578125,
|
||
:y2 457.8984375,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 126.4375,
|
||
:y1 416.0390625,
|
||
:x2 590.2296142578125,
|
||
:y2 436.0390625,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 437.8984375,
|
||
:x2 510.3699951171875,
|
||
:y2 457.8984375,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "RQ1: Can SATD sources contain pointers to security weaknesses and vulnerabilities inside OSS repositories?"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc7a1-e7f0-4bcc-af73-58094e6608af",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 503.7890625,
|
||
:x2 591.34326171875,
|
||
:y2 567.5078125,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 436.77423095703125,
|
||
:y1 503.7890625,
|
||
:x2 588.3168334960938,
|
||
:y2 523.7890625,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 525.6484375,
|
||
:x2 591.34326171875,
|
||
:y2 545.6484375,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 547.5078125,
|
||
:x2 148.34214782714844,
|
||
:y2 567.5078125,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "546 security-relevant SATD candidates and inspected them manually for security pointers"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc7ac-5da8-4f6f-b13d-53927c27ef57",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 547.5078125,
|
||
:x2 591.34326171875,
|
||
:y2 611.390625,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 326.2711181640625,
|
||
:y1 547.5078125,
|
||
:x2 587.1630859375,
|
||
:y2 567.5078125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 569.53125,
|
||
:x2 591.34326171875,
|
||
:y2 589.53125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 591.390625,
|
||
:x2 145.0221710205078,
|
||
:y2 611.390625,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text " 201 Security Self-Admitted Technical Debt (SSATD) observations that we considered for further analysis"},
|
||
:properties {:color "yellow"}}
|
||
{:id #uuid "657dc7d0-92a6-4e6b-af25-a2a30bff0079",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 613.25,
|
||
:x2 588.3197021484375,
|
||
:y2 655.265625,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 126.4375,
|
||
:y1 613.25,
|
||
:x2 588.3197021484375,
|
||
:y2 633.25,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 635.265625,
|
||
:x2 527.8638305664062,
|
||
:y2 655.265625,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "RQ2: Which particular weakness and vulnerabilities are frequently exposed through different SATD sources?"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc806-5f06-4633-a890-e5639a826fa5",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 701,
|
||
:x2 591.3416137695312,
|
||
:y2 786.734375,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 292.75909423828125,
|
||
:y1 701,
|
||
:x2 588.3223876953125,
|
||
:y2 721,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 722.859375,
|
||
:x2 591.3416137695312,
|
||
:y2 742.859375,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 744.875,
|
||
:x2 588.01806640625,
|
||
:y2 764.875,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 766.734375,
|
||
:x2 461.6142272949219,
|
||
:y2 786.734375,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "25 different CWE types across commit messages, code comments, pull requests, and issue reports. Moreover, 8 of these 25 CWEs appear listed among MITRE’s Top-25 most dangerous software weaknesses in 2023."},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc80c-3168-4d1e-a104-2ae61b0ce9b4",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 788.59375,
|
||
:x2 587.6395263671875,
|
||
:y2 830.609375,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 126.4375,
|
||
:y1 788.59375,
|
||
:x2 587.6395263671875,
|
||
:y2 808.59375,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 810.609375,
|
||
:x2 333.0499267578125,
|
||
:y2 830.609375,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "RQ3: What is developers’ perspective on security-related SATD in OSS repositories?"},
|
||
:properties {:color "blue"}}
|
||
{:id #uuid "657dc827-0c7e-4b4b-8852-afdd509477af",
|
||
:page 2,
|
||
:position {:bounding {:x1 126.4375,
|
||
:y1 920.2265625,
|
||
:x2 591.3485107421875,
|
||
:y2 962.0859375,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 288.17401123046875,
|
||
:y1 920.2265625,
|
||
:x2 591.3485107421875,
|
||
:y2 940.2265625,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 126.4375,
|
||
:y1 942.0859375,
|
||
:x2 506.4214782714844,
|
||
:y2 962.0859375,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "many practitioners engage with this practice, although they recognise it as potentially risky. "},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc8b7-d222-40d5-8d66-705aaaccff4b",
|
||
:page 2,
|
||
:position {:bounding {:x1 107.5859375,
|
||
:y1 1278.6875,
|
||
:x2 591.2879638671875,
|
||
:y2 1342.5625,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 504.496826171875,
|
||
:y1 1278.6875,
|
||
:x2 591.2879638671875,
|
||
:y2 1298.6875,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 1300.546875,
|
||
:x2 588.3570556640625,
|
||
:y2 1320.546875,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 107.5859375,
|
||
:y1 1322.5625,
|
||
:x2 299.4558410644531,
|
||
:y2 1342.5625,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text " a few publications in the current literature explore the interface between software security and TD"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dc8ed-8198-455d-b95c-6e3f183b7401",
|
||
:page 2,
|
||
:position {:bounding {:x1 635.8671875,
|
||
:y1 215.03125,
|
||
:x2 1119.671142578125,
|
||
:y2 300.765625,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 892.2384033203125,
|
||
:y1 215.03125,
|
||
:x2 1116.63623046875,
|
||
:y2 235.03125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 236.890625,
|
||
:x2 1119.671142578125,
|
||
:y2 256.890625,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 258.75,
|
||
:x2 1118.60107421875,
|
||
:y2 278.75,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 280.765625,
|
||
:x2 718.1690063476562,
|
||
:y2 300.765625,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text " they suggest that tools/methods such as code reviews and threat modelling are suitable to spot internal quality issues in software requirements, coding, architecture, and testing"},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dca95-443e-4a10-8e43-8bca892cb0ba",
|
||
:page 2,
|
||
:position {:bounding {:x1 635.8671875,
|
||
:y1 609.4453125,
|
||
:x2 1118.9429931640625,
|
||
:y2 673.3203125,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 900.6593627929688,
|
||
:y1 609.4453125,
|
||
:x2 1118.9429931640625,
|
||
:y2 629.4453125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 631.4609375,
|
||
:x2 1117.703369140625,
|
||
:y2 651.4609375,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 653.3203125,
|
||
:x2 887.8391723632812,
|
||
:y2 673.3203125,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "They conclude that TD pointers can help improve the performance of Machine Learning (ML) models for vulnerability prediction."},
|
||
:properties {:color "green"}}
|
||
{:id #uuid "657dcabf-d2aa-4545-b8ea-0ce2982bda30",
|
||
:page 2,
|
||
:position {:bounding {:x1 635.8671875,
|
||
:y1 1058.828125,
|
||
:x2 1119.6539306640625,
|
||
:y2 1122.703125,
|
||
:width 1224,
|
||
:height 1584},
|
||
:rects ({:x1 843.0870361328125,
|
||
:y1 1058.828125,
|
||
:x2 1116.635986328125,
|
||
:y2 1078.828125,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 1080.6875,
|
||
:x2 1119.6539306640625,
|
||
:y2 1100.6875,
|
||
:width 1224,
|
||
:height 1584}
|
||
{:x1 635.8671875,
|
||
:y1 1102.703125,
|
||
:x2 738.2830200195312,
|
||
:y2 1122.703125,
|
||
:width 1224,
|
||
:height 1584}),
|
||
:page 2},
|
||
:content {:text "more than 55% of self-admissions in the form of code comments correspond to insecure implementations/snippets"},
|
||
:properties {:color "blue"}}],
|
||
:extra {:page 7}}
|