A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity

Nugroho, Yusuf Sulistyo; Gunawan, Dedi; Putri, Devi Afriyantari Puspa; Islam, Syful; Alhefdhi, Abdulaziz

doi:10.24138/jcomss-2021-0124

Cited by 3 publications

(3 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To answer RQ 1 , we conducted a qualitative analysis of statistically representative samples included in dataset D2. In order to identify the topics discussed by npm maintainers on Twitter, we manually analyzed the tweets related to npm ecosystem using thematic analysis similar to previous studies ( Hata et al, 2019 ; Nugroho et al, 2021 , 2022 ; Islam et al, 2023 ). This process consists of four steps: (1) building a schema to classify the tweets, (2) grouping the topics into coherent categories, (3) classifying the tweets manually based on the developed schema, (4) aggregating the results from analysis.…”

Section: Methodsmentioning

confidence: 99%

An empirical study of software ecosystem related tweets by npm maintainers

Islam,

Nugroho,

Shahrear

et al. 2024

PeerJ Computer Science

Self Cite

View full text Add to dashboard Cite

The npm ecosystem is crucial for the JavaScript community and its development is significantly influenced by the opinions and feedback of npm maintainers. Many software ecosystem maintainers have utilized social media, such as Twitter, to share community-related information and their views. However, the communication between npm maintainers via Twitter in terms of topics, nature, and sentiment have not been analyzed. This study conducts an empirical analysis of tweets by npm maintainers related to the software ecosystem to understand their perceptions and opinions better. A dataset of tweets was collected and analyzed using qualitative analysis techniques to identify the topic of tweets, nature, and their sentiments. Our study demonstrates that most tweets belong to the package management category, followed by notifications and community-related information. The most frequently discussed topics among npm maintainers in the package management category are usage scenarios. It appears that the nature of tweets mostly shared by npm maintainers is information, followed by question and answer, respectively. Additionally, the sentiment analysis reveals that npm maintainers express more positive sentiments towards notification and community-related discussion while expressing more neutral opinions towards the package management related discussion. This case study provides valuable insights into the perceptions and opinions of the npm maintainers regarding the software ecosystem and can inform future development and decision making.

show abstract

Section: Methodsmentioning

confidence: 99%

An empirical study of software ecosystem related tweets by npm maintainers

Islam,

Nugroho,

Shahrear

et al. 2024

PeerJ Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…In order to discover the topics from tweets posted by the npm core developers, an open coding strategy was adopted similar to previous studies 14,21,27,28 . The open coding process consists of three steps.…”

Section: Topic Of Tweet (Rq 1 ): What Are the Main Topics Of Interest...mentioning

confidence: 99%

An Empirical Study of npm Ecosystem Related Tweets by Core Software Developers: A Case Study

Islam

Nugroho

Shahrear

et al. 2023

Preprint

View full text Add to dashboard Cite

npm ecosystem is crucial for the JavaScript community and its development is significantly influenced by the opinions and feedback of core software developers.Many software developers have utilized social media, such as Twitter, to share community-related information and their views. However, the communication between npm developers via Twitter in terms of topics, nature, and sentiment have not been analyzed.This study conducts an empirical analysis of tweets by core software developers related to the npm ecosystem to understand their perceptions and opinions better. A dataset of tweets was collected and analyzed using qualitative analysis techniques to identify the topic of tweets, their nature and their sentiments. Our study demonstrated that most tweets belong to the package management category followed by notifications and community-related information.The most frequently discussed topics among core software developers in the package management category are usage scenarios. It appears that developers use a variety of approaches, with information tweets dominating, followed by questions and answers.Additionally, the sentiment analysis revealed that developers express more positive sentiments towards notification and community-related discussion while expressing more neutral opinions towards the package ecosystem discussion category. This case study provides valuable insights into the perceptions and opinions of core software developers regarding the npm ecosystem and can inform future development and decision-making.

show abstract

“…Cowan named it the "vulnerability of the decade" (1988)(1989)(1990)(1991)(1992)(1993)(1994)(1995)(1996)(1997)(1998), because it was the leading cause of security breaches following its discovery [7]. According to the Common Vulnerabilities and Exposures (CVE) list of 2019, it was the most frequently reported vulnerability, with more than 400 reported vulnerabilities [8]. As of May 2021, the number of reported buffer overflow vulnerabilities in the CVE database has reached over 13,700 [9].…”

Section: Introductionmentioning

confidence: 99%

An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques

et al. 2022

View full text Add to dashboard Cite

Buffer Overflow (BOF) has been a ubiquitous security vulnerability for more than three decades, potentially compromising any software application or system. This vulnerability occurs primarily when someone attempts to write more bytes of data (shellcode) than a buffer can handle. To date, this primitive attack has been used to attack many different software systems, resulting in numerous buffer overflows. The most common type of buffer overflow is the stack overflow vulnerability, through which an adversary can gain admin privileges remotely, which can then be used to execute shellcode. Numerous mitigation techniques have been developed and deployed to reduce the likelihood of BOF attacks, but attackers still manage to bypass these techniques. A variety of mitigation techniques have been proposed and implemented on the hardware, operating system, and compiler levels. These techniques include No-EXecute (NX) and Address Space Layout Randomization (ASLR). The NX bit prevents the execution of malicious code by making various portions of the address space of a process inoperable. The ASLR algorithm randomly assigns addresses to various parts of the logical address space of a process as it is loaded in memory for execution. Position Independent Executable (PIE) and ASLR provide more robust protection by randomly generating binary segments. Read-only relocation (RELRO) protects the Global Offset Table (GOT) from overwriting attacks. StackGuard protects the stack by placing the canary before the return address in order to prevent stack smashing attacks. Despite all the mitigation techniques in place, hackers continue to be successful in bypassing them, making buffer overflow a persistent vulnerability. The current work aims to describe the stack-based buffer overflow vulnerability and review in detail the mitigation techniques reported in the literature as well as how hackers attempt to bypass them.

show abstract

A Study of Vulnerability Identifiers in Code Comments: Source, Purpose, and Severity

Cited by 3 publications

References 27 publications

An empirical study of software ecosystem related tweets by npm maintainers

An empirical study of software ecosystem related tweets by npm maintainers

An Empirical Study of npm Ecosystem Related Tweets by Core Software Developers: A Case Study

An In-Depth Survey of Bypassing Buffer Overflow Mitigation Techniques

Contact Info

Product

Resources

About