We study 10 C/C++ projects that have been using a static analysis security testing tool. We analyze the historical scan reports generated by the tool and study how frequently memory-related alerts appeared. We also studied the subsequent developer action on those alerts. We also look at the CVEs published for these projects within the study timeline and investigate how many of them are memory related. Moreover, for one of this project, Linux, we investigate if the involved flaws in the CVE were identified by the studied security tool when they were first introduced in the code. We found memory related alerts to be frequently detected during static analysis security testing. However, based on how actively the project developers are monitoring the tool alerts, these errors can take years to get fixed. For the ten studied projects, we found a median lifespan of 77 days before memory alerts get fixed. We also find that around 40% of the published CVEs for the studied C/C++ projects are related to memory. These memory CVEs have higher CVSS severity ratings and likelihood of having an exploit script public than non-memory CVEs. We also found only 2.5% Linux CVEs were possibly detected during static analysis security testing.
翻译:我们研究了使用静态分析安全测试工具的10个C/C+++项目。我们分析了该工具产生的历史扫描报告,并研究了与记忆有关的警报的出现频率。我们还研究了这些警报随后的开发者行动。我们还研究了在研究时间表内为这些项目公布的CVE项目,并调查其中多少与记忆有关。此外,对于这个项目中的一个项目,Linux,我们调查所研究的安全工具在首次引入代码时是否发现CVE的缺陷。我们发现,在静态分析安全测试中经常发现与记忆有关的警报。然而,根据项目开发者如何积极监测工具警报,这些错误可能需要数年时间才能固定下来。在研究的10个项目中,我们在记忆警报得到固定之前发现了77天的中位寿命。我们还发现,为所研究的C/C+VE项目出版的CVE约40%与记忆有关。这些CVSS的记忆强度评级较高,而且有可能利用文稿公众而不是非显性CPVE。我们还发现,在进行静态测试期间,只有2.5%的Linux CVEVE可能检测中测得。