Write a Blog >>
ICSE 2023
Sun 14 - Sat 20 May 2023 Melbourne, Australia
Sat 20 May 2023 11:15 - 11:30 at Meeting Room 104 - Paper Session 1 Chair(s): M. Mehdi Kholoosi

In open-source projects, anyone can contribute, so it is important to have an active continuous integration and continuous delivery (CI/CD) pipeline in addition to a protocol for reporting security concerns, especially in projects that are widely used and belong to the software supply chain. Many of these projects are hosted on GitHub, where maintainers can create automated workflows using GitHub Actions, introduced in 2019, for inspecting proposed changes to source code and defining a security policy for reporting vulnerabilities. We conduct an empirical study to measure the usage of GitHub workflows and security policies in thousands of popular repositories based on the number of stars. After querying the top one-hundred and top one-thousand repositories from all 181 trending GitHub topics, and the top 4,900 overall repositories, totaling just over 173 thousand projects, we find that 37% of projects have workflows enabled and 7% have a security policy in place. Using the top 60 repositories from each of the 34 most popular programming languages on GitHub, 2,040 projects total, we find that 57% of projects have workflows enabled and 17% have a security policy in place. Furthermore, from those top repositories that have support for GitHub CodeQL static analysis, which performs bug and vulnerability checks, only 13.5% have it enabled; in fact, we found that only 1.7% of the top repositories using Kotlin have an active CodeQL scanning workflow. These results highlight that open-source project maintainers should prioritize configuring workflows, enabling automated static analysis whenever possible, and defining a security policy to prevent vulnerabilities from being introduced or remaining in source code.

Sat 20 May

Displayed time zone: Hobart change

11:00 - 12:30
Paper Session 1SVM at Meeting Room 104
Chair(s): M. Mehdi Kholoosi University of Adelaide
11:00
15m
Full-paper
A Static Analysis Platform for Investigating Security Trends in Repositories
SVM
Tim Sonnekalb German Aerospace Center (DLR), Christopher-Tobias Knaust , Thomas S. Heinze Aarhus University, Denmark, Clemens-Alexander Brust German Aerospace Center (DLR), Bernd Gruner DLR Institute of Data Science, Lynn von Kurnatowski German Aerospace Center, Andreas Schreiber German Aerospace Center (DLR), Patrick Mäder Technische Universität Ilmenau
11:15
15m
Full-paper
An Empirical Study on Workflows and Security Policies in Popular GitHub Repositories
SVM
Jessy Ayala University of California Irvine, Joshua Garcia University of California, Irvine
11:40
50m
Talk
Group forming and discussion - SVM gaps between academia and practice
SVM