|
|
|
|
|
Exploring Code Vulnerabilities through Code Reviews: An Empirical Study on OpenStack Nova |
|
PP: 681-689 |
|
doi:10.18576/jsap/130208
|
|
Author(s) |
|
Taleb Fahmawi,
Ahmad Nabot,
Issam Jebreen,
Ahmad Al-Qerem,
|
|
Abstract |
|
Effective code review is a critical aspect of software quality assurance, requiring a meticulous examination of code snippets to identify weaknesses and other quality issues. Unfortunately, the biggest threat to software quality is developers’ disregard for code-writing standards, which leads to code smells. Despite their importance, code smells are not always identified during code review, creating a need for an empirical study to uncover vulnerabilities in code reviews. This study aimed to explore vulnerabilities in code reviews by examining the OpenStack project, Nova. After analyzing 4873 review comments, we identified 187 comments related to possible vulnerabilities, and a pilot study confirmed 151 of them as vulnerabilities. Our findings revealed that injection vulnerability flaws were the most prevalent, while insecure deserialization was the least common. Our study also identified three primary reasons for vulnerabilities: developers’ knowledge of secure coding practices, unfamiliarity with existing code, and unintentional errors. In response to these vulnerabilities, reviewers suggested that developers fix the issues, and developers generally followed their recommendations. We recommend that developers receive training in secure coding practices to improve software quality, and those code review procedures include specific checks for common vulnerabilities. Additionally, it is essential to ensure that reviewers and developers communicate effectively to address vulnerabilities efficiently and effectively.
|
|
|
|
|
|