Software developers share programming solutions in Q&A sites like Stack Overflow. The reuse of crowd-sourced code snippets can facilitate rapid prototyping. However, recent research shows that the shared code snippets may be of low quality and can even contain vulnerabilities. This paper aims to understand the nature and the prevalence of security vulnerabilities in crowd-sourced code examples. To achieve this goal, we investigate security vulnerabilities in the C++ code snippets shared on Stack Overflow over a period of 10 years. In collaborative sessions involving multiple human coders, we manually assessed each code snippet for security vulnerabilities following CWE (Common Weakness Enumeration) guidelines. From the 72,483 reviewed code snippets used in at least one project hosted on GitHub, we found a total of 69 vulnerable code snippets categorized into 29 types. Many of the investigated code snippets are still not corrected on Stack Overflow. The 69 vulnerable code snippets found in Stack Overflow were reused in a total of 2859 GitHub projects. To help improve the quality of code snippets shared on Stack Overflow, we developed a browser extension that allow Stack Overflow users to check for vulnerabilities in code snippets when they upload them on the platform.
翻译:软件开发者共享像 Stack Overflow 这样的 ZA 站点的编程解决方案。 众源代码片断的再利用可以促进快速的原型。 但是, 最近的研究显示, 共享代码片块的质量可能很低, 甚至可以包含弱点。 本文旨在了解众源代码示例中安全脆弱性的性质和普遍性。 为了实现这一目标, 我们调查了在 Stack Overflow 上共享的 C+ 代码片块在10年时间里的安全脆弱性。 在涉及多个人类编码员的协作会议上, 我们根据 CWE (Common Weakness Enumberation) 指南, 手工评估了每个安全脆弱性代码片块。 在 GitHub 上至少一个项目使用的经审查的代码片断中, 我们发现总共69个脆弱代码片断在众源代码中被分类为29种。 许多被调查的代码片断在Stack Overflow 上仍然没有得到纠正。 在 Stack Overflow 上发现的69个脆弱代码片片段被重新使用。 在总共2859 GitHub 项目中, 我们开发了Stack Stack Block 浏览平台上安全规则, 。