Examining the Relationship of Code and Architectural Smells with Software Vulnerabilities

Context: Security is vital to software developed for commercial or personal use. Although more organizations are realizing the importance of applying secure coding practices, in many of them, security concerns are not known or addressed until a security failure occurs. The root cause of security failures is vulnerable code. While metrics have been used to predict software vulnerabilities, we explore the relationship between code and architectural smells with security weaknesses. As smells are surface indicators of a deeper problem in software, determining the relationship between smells and software vulnerabilities can play a significant role in vulnerability prediction models. Objective: This study explores the relationship between smells and software vulnerabilities to identify the smells. Method: We extracted the class, method, file, and package level smells for three systems: Apache Tomcat, Apache CXF, and Android. We then compared their occurrences in the vulnerable classes which were reported to contain vulnerable code and in the neutral classes (non-vulnerable classes where no vulnerability had yet been reported). Results: We found that a vulnerable class is more likely to have certain smells compared to a non-vulnerable class. God Class, Complex Class, Large Class, Data Class, Feature Envy, Brain Class have a statistically significant relationship with software vulnerabilities. We found no significant relationship between architectural smells and software vulnerabilities. Conclusion: We can conclude that for all the systems examined, there is a statistically significant correlation between software vulnerabilities and some smells.

[1]  R. Fisher Statistical methods for research workers , 1927, Protoplasma.

[2]  Peter W. O'Hearn,et al.  Scaling static analyses at Facebook , 2019, Commun. ACM.

[3]  Claudia A. Marcos,et al.  Assessing the Refactoring of Brain Methods , 2018, ACM Trans. Softw. Eng. Methodol..

[4]  Davide Taibi,et al.  Are architectural smells independent from code smells? An empirical study , 2019, J. Syst. Softw..

[5]  Kazi Zakia Sultana,et al.  The Relationship between Traceable Code Patterns and Code Smells , 2017, SEKE.

[6]  Yuanfang Cai,et al.  Hotspot Patterns: The Formal Definition and Automatic Detection of Architecture Smells , 2015, 2015 12th Working IEEE/IFIP Conference on Software Architecture.

[7]  Chris Parnin,et al.  The Seven Sins: Security Smells in Infrastructure as Code Scripts , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[8]  Wm. Arthur Conklin,et al.  Secure Software Engineering: A New Paradigm , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[9]  Michele Lanza,et al.  Object-Oriented Metrics in Practice - Using Software Metrics to Characterize, Evaluate, and Improve the Design of Object-Oriented Systems , 2006 .

[10]  Glauco de Figueiredo Carneiro,et al.  The Impact of Code Smells on Software Bugs: A Systematic Literature Review , 2018, Inf..

[11]  Ciera Jaspan,et al.  Lessons from building static analysis tools at Google , 2018, Commun. ACM.

[12]  Marjan Hericko,et al.  Impact of Code Smells on the Rate of Defects in Software: A Literature Review , 2018, SQAMIA.

[13]  Girish Suryanarayana,et al.  Refactoring for Software Design Smells: Managing Technical Debt , 2014 .

[14]  Foutse Khomh,et al.  Tracking Design Smells: Lessons from a Study of God Classes , 2009, 2009 16th Working Conference on Reverse Engineering.

[15]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[16]  Gabriele Bavota,et al.  When and Why Your Code Starts to Smell Bad (and Whether the Smells Go Away) , 2015, IEEE Transactions on Software Engineering.

[17]  Abdulrahman Abu Elkhail,et al.  On Relating Code Smells to Security Vulnerabilities , 2019, 2019 IEEE 5th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS).

[18]  Aiko Yamashita,et al.  Assessing the capability of code smells to explain maintenance problems: an empirical study combining quantitative and qualitative data , 2013, Empirical Software Engineering.

[19]  Esperanza Manso,et al.  Software Design Smell Detection: a systematic mapping study , 2018, Software Quality Journal.

[20]  Foutse Khomh,et al.  An Exploratory Study of the Impact of Code Smells on Software Change-proneness , 2009, 2009 16th Working Conference on Reverse Engineering.

[21]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[22]  Francesca Arcelli Fontana,et al.  Arcan: A Tool for Architectural Smells Detection , 2017, 2017 IEEE International Conference on Software Architecture Workshops (ICSAW).

[23]  Kazi Zakia Sultana,et al.  The Relationship Between Code Smells and Traceable Patterns - Are They Measuring the Same Thing? , 2017, Int. J. Softw. Eng. Knowl. Eng..

[24]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[25]  Raed Shatnawi,et al.  An empirical study of the bad smells and class error probability in the post-release object-oriented system evolution , 2007, J. Syst. Softw..

[26]  Andrew Winters,et al.  Statistics: a brief overview. , 2010, The Ochsner journal.

[27]  Sajjad Mahmood,et al.  An empirical study to improve software security through the application of code refactoring , 2017, Inf. Softw. Technol..

[28]  Mika Mäntylä,et al.  Bad smells - humans as code critics , 2004, 20th IEEE International Conference on Software Maintenance, 2004. Proceedings..

[29]  M.J. Munro,et al.  Product Metrics for Automatic Identification of "Bad Smell" Design Problems in Java Source-Code , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).

[30]  Yuanfang Cai,et al.  Towards an Architecture-Centric Approach to Security Analysis , 2016, 2016 13th Working IEEE/IFIP Conference on Software Architecture (WICSA).

[31]  Nenad Medvidovic,et al.  Toward a Catalogue of Architectural Bad Smells , 2009, QoSA.

[32]  Gabriele Bavota,et al.  An experimental investigation on the innate relationship between quality and refactoring , 2015, J. Syst. Softw..

[33]  Mohammad Ghafari,et al.  Security code smells in Android ICC , 2018, Empirical Software Engineering.

[34]  Daniela Cruzes,et al.  Are all code smells harmful? A study of God Classes and Brain Classes in the evolution of three open source systems , 2010, 2010 IEEE International Conference on Software Maintenance.

[35]  Yann-Gaël Guéhéneuc,et al.  Decor: a tool for the detection of design defects , 2007, ASE.

[36]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[37]  Francis Palma,et al.  A study on the taxonomy of service antipatterns , 2015, 2015 IEEE 2nd International Workshop on Patterns Promotion and Anti-patterns Prevention (PPAP).

[38]  Alexander Chatzigeorgiou,et al.  Investigating the Evolution of Bad Smells in Object-Oriented Code , 2010, 2010 Seventh International Conference on the Quality of Information and Communications Technology.

[39]  Minhaz Fahim Zibran,et al.  Security Vulnerabilities in Categories of Clones and Non-Cloned Code: An Empirical Study , 2017, 2017 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM).

[40]  Mohammad Ghafari,et al.  Security Smells in Android , 2017, 2017 IEEE 17th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[41]  Davide Taibi,et al.  Architectural Smells Detected by Tools: a Catalogue Proposal , 2019, 2019 IEEE/ACM International Conference on Technical Debt (TechDebt).

[42]  Andrew Jaquith Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[43]  Minhaz Fahim Zibran,et al.  A Comparative Study on Vulnerabilities in Categories of Clones and Non-cloned Code , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[44]  Md. Rayhanur Rahman,et al.  Share, But be Aware: Security Smells in Python Gists , 2019, 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME).