- 文字
- 歷史
C. MetricsIn addition to counting v
C. Metrics
In addition to counting vulnerabilities, our BuildBot configuration
collected and analyzed the following software
metrics: SLOC, cyclomatic complexity, and nesting complexity.
While SCA is a commercial static analysis tool, our
other metric tools were open source tools packaged with
Ubuntu Linux 10.04. Cyclomatic Complexity and Nesting
Complexity were computed using PHP CodeSniffer 1.10 [6]
with custom classes and a Ruby script to extract only the
data we needed.
In our previous study, we used SLOCCount 2.26 [25]
to measure SLOC. However, this tool returned inconsistent
results when run multiple times on the same source code,
sometimes failing to report results at all. Therefore, we
used Fortify SCA to count code in this study, which returns
consistent SLOC counts for code, and as it is the same tool
that we used to find vulnerabilities, we expect that it counts
the same code that it finds vulnerabilities in. We still run
SLOCCount on each revision as part of a check to ensure
that our BuildBot-based system produced the same results as
our previous study. SLOC metrics from SCA are lower than
those from SLOCCount, as SCA SLOC does not include
lines with only braces or declarations.
We measured vulnerability density using the static analysis
vulnerability density (SAVD) metric [7] We used results
from Fortify SCA version 5.10 to compute SAVD, as SCA
reported both the number of vulnerabilities and SLOC. This
means that both the numerator and denominator of SAVD
differ from the original study, which results in much higher
SAVD values due to both the larger number of vulnerabilities
found and the smaller code size values. Since Fortify SCA
also categorized vulnerabilities into types such as cross-
Figure 1. SLOC vs. Vulnerabilities for All Project Versions
Table II
AGGREGATE DATA
Datum 2006 2007 2008 2009 2010
SLOC 684,654 782,870 864,113 980,029 1,182,917
Vulnerabilities 19,253 17,404 24,529 24,707 23,613
OWASP Top 10 14,742 12,467 17,970 17,623 17,389
SAVD 28.12 22.23 28.38 25.21 19.96
site scripting and SQL injection, we could also measure
vulnerability density for particular types of vulnerabilities.
IV. AGGREGATE FINDINGS
The size of the aggregate code base for all fourteen
projects steadily grew from 684,654 sources line of code
in mid-2006 to 1,182,917 lines of code in mid-2010. The
number of vulnerabilities also grew throughout that time
period from 19,253 to 23,613, though not steadily, as there
was a large decrease in 2007 followed by a large increase
in 2008. We found that the relationship between the number
of vulnerabilities in a version and the code size was roughly
linear and plotted in Figure 1 using a logarithmic scale.
Clusters of data points are typically different versions from
the same application. As the number of vulnerabilities grew
slower than the the size of the code, vulnerability density
decreased strongly from 28.12 vulnerabilities per thousand
lines of code to 19.96. Table II summarizes the findings of
this analysis.
While the overall trend was towards lower vulnerability
density, individual projects evolved differently, with eight
projects decreasing vulnerability density over the study and
six projects increasing. In our previous study, only six
projects had declining vulnerability densities. While SAVD
declined for eight projects, the total number of vulnerabilities
only declined for four of those projects: phpbb, po,
smarty, and squirrelmail.
Figure 2. SAVD Evolution by Project
Vulnerability densities varied widely, from 2.1 vulnerabilities
per thousand lines of code (achievo) to 202 (po)
in June 2006, evolving to 2.7 (achievo) to 206 (po) in
June 2010. Figure 2 shows the evolution of SAVD for each
of the fourteen projects from year to year. Both of the
highest SAVD projects, phpmyadmin and po, contained a
set of vulnerabilities made up mostly of cross-site scripting
vulnerabilities, and had hundreds of commits related to internationalization
efforts, which caused swings of thousands
of vulnerabilities within a week or two at times.
Figure 3 plots the SLOC and vulnerability counts for
WordPress over the four-year period. In early 2007, a release
of WordPress eliminated about a thousand vulnerabilities;
however as new code was added, so were new vulnerabilities.
WordPress contributors demonstrated that they can
write more secure software; however, there are very few
corrections being made after 2007. This approach seems
characteristic of a project that does not have consistent security
processes. However, squirrelmail, as shown in Figure 4,
consistently fixed vulnerabilities over the four year period,
without introducing a large number of new errors, even as
the code grew in size.
In addition to counting vulnerabilities, our BuildBot configuration
collected and analyzed the following software
metrics: SLOC, cyclomatic complexity, and nesting complexity.
While SCA is a commercial static analysis tool, our
other metric tools were open source tools packaged with
Ubuntu Linux 10.04. Cyclomatic Complexity and Nesting
Complexity were computed using PHP CodeSniffer 1.10 [6]
with custom classes and a Ruby script to extract only the
data we needed.
In our previous study, we used SLOCCount 2.26 [25]
to measure SLOC. However, this tool returned inconsistent
results when run multiple times on the same source code,
sometimes failing to report results at all. Therefore, we
used Fortify SCA to count code in this study, which returns
consistent SLOC counts for code, and as it is the same tool
that we used to find vulnerabilities, we expect that it counts
the same code that it finds vulnerabilities in. We still run
SLOCCount on each revision as part of a check to ensure
that our BuildBot-based system produced the same results as
our previous study. SLOC metrics from SCA are lower than
those from SLOCCount, as SCA SLOC does not include
lines with only braces or declarations.
We measured vulnerability density using the static analysis
vulnerability density (SAVD) metric [7] We used results
from Fortify SCA version 5.10 to compute SAVD, as SCA
reported both the number of vulnerabilities and SLOC. This
means that both the numerator and denominator of SAVD
differ from the original study, which results in much higher
SAVD values due to both the larger number of vulnerabilities
found and the smaller code size values. Since Fortify SCA
also categorized vulnerabilities into types such as cross-
Figure 1. SLOC vs. Vulnerabilities for All Project Versions
Table II
AGGREGATE DATA
Datum 2006 2007 2008 2009 2010
SLOC 684,654 782,870 864,113 980,029 1,182,917
Vulnerabilities 19,253 17,404 24,529 24,707 23,613
OWASP Top 10 14,742 12,467 17,970 17,623 17,389
SAVD 28.12 22.23 28.38 25.21 19.96
site scripting and SQL injection, we could also measure
vulnerability density for particular types of vulnerabilities.
IV. AGGREGATE FINDINGS
The size of the aggregate code base for all fourteen
projects steadily grew from 684,654 sources line of code
in mid-2006 to 1,182,917 lines of code in mid-2010. The
number of vulnerabilities also grew throughout that time
period from 19,253 to 23,613, though not steadily, as there
was a large decrease in 2007 followed by a large increase
in 2008. We found that the relationship between the number
of vulnerabilities in a version and the code size was roughly
linear and plotted in Figure 1 using a logarithmic scale.
Clusters of data points are typically different versions from
the same application. As the number of vulnerabilities grew
slower than the the size of the code, vulnerability density
decreased strongly from 28.12 vulnerabilities per thousand
lines of code to 19.96. Table II summarizes the findings of
this analysis.
While the overall trend was towards lower vulnerability
density, individual projects evolved differently, with eight
projects decreasing vulnerability density over the study and
six projects increasing. In our previous study, only six
projects had declining vulnerability densities. While SAVD
declined for eight projects, the total number of vulnerabilities
only declined for four of those projects: phpbb, po,
smarty, and squirrelmail.
Figure 2. SAVD Evolution by Project
Vulnerability densities varied widely, from 2.1 vulnerabilities
per thousand lines of code (achievo) to 202 (po)
in June 2006, evolving to 2.7 (achievo) to 206 (po) in
June 2010. Figure 2 shows the evolution of SAVD for each
of the fourteen projects from year to year. Both of the
highest SAVD projects, phpmyadmin and po, contained a
set of vulnerabilities made up mostly of cross-site scripting
vulnerabilities, and had hundreds of commits related to internationalization
efforts, which caused swings of thousands
of vulnerabilities within a week or two at times.
Figure 3 plots the SLOC and vulnerability counts for
WordPress over the four-year period. In early 2007, a release
of WordPress eliminated about a thousand vulnerabilities;
however as new code was added, so were new vulnerabilities.
WordPress contributors demonstrated that they can
write more secure software; however, there are very few
corrections being made after 2007. This approach seems
characteristic of a project that does not have consistent security
processes. However, squirrelmail, as shown in Figure 4,
consistently fixed vulnerabilities over the four year period,
without introducing a large number of new errors, even as
the code grew in size.
0/5000
C.衡量标准除了计数漏洞,我们 BuildBot 配置收集并分析以下软件度量 ︰ SLOC,圈复杂度和筑巢的复杂性。SCA 是一个商业静态分析工具,而我们其他度量工具是开放源码工具打包在一起Linux Ubuntu 10.04。圈复杂度和嵌套复杂性计算使用 PHP CodeSniffer 1.10 [6]使用自定义类和一个 Ruby 脚本,只提取我们所需的数据。在我们以前的研究中,我们使用 SLOCCount 2.26 [25]来衡量 SLOC。但是,此工具返回不一致结果当多次运行在相同的源代码,有时根本未报告结果。因此,我们用于强化 SCA 计数在此研究中,返回代码一致 SLOC 计数的代码,以及它是相同的工具我们用于查找漏洞,我们期待它计数相同的代码,它发现中的漏洞。我们仍然运行SLOCCount 对每个修订作为检查的一部分,以确保我们基于 BuildBot 的系统产生相同的结果我们前期的研究。从 SCA SLOC 度量是低于那些从 SLOCCount,作为 SCA SLOC 不包括只有大括号或声明的行。我们衡量脆弱性密度使用静态分析漏洞密度 (SAVD) 度量 [7] 我们使用结果从巩固 SCA 版本 5.10 计算 SAVD,作为 SCA报告数目的脆弱性和 SLOC。这意味着,分子和分母的 SAVD不同于最初的研究结果在高得多由于这两个较大的漏洞数量 SAVD 值发现和更小的代码大小的值。因为强化 SCA此外进行了分类类型,如跨进漏洞图 1。SLOC 与漏洞项目的所有版本表二聚合数据基准 2006年 2007年 2008年 2009年 2010SLOC 684,654 782,870 864,113 980,029 1,182,917漏洞 19,253 17,404 24,529 24,707 23,613OWASP 顶部 10 14,742 12,467 17,970 17,623 17,389SAVD 28.12 22.23 28.38 25.21 19.96站点脚本和 SQL 注入,我们也可衡量漏洞密度为特定类型的安全漏洞。四.聚合结果基地所有十四聚合代码的大小项目稳步增长从 684,654 源行的代码在 2006 年中期到 2010 年年中代码 1,182,917 行。的安全漏洞数量也增长在这整个期间期间从 19,253 到 23,613,虽然不稳,作为那里在 2007 年之后大增加大幅度降低在 2008 年。我们发现数量之间的关系版本和代码中的漏洞的大小大约是线性和绘制在图 1 中使用对数刻度。成群的数据点是通常不同版本同一应用程序。安全漏洞的数量随着比慢的代码漏洞密度的大小强烈减少了从千分之 28.12 漏洞行至 19.96 代码。表二总结的结果这种分析。虽然总的趋势是降低脆弱性密度,个别项目不同,随着八降低脆弱性密度对其研究项目和增加的六个项目。在我们前面的研究,只有六个项目一度减少脆弱性密度。虽然 SAVD八个工程项目,安全漏洞的总数量下降仅下降四这些项目 ︰ phpbb,大埔,smarty 和 squirrelmail。图 2。SAVD 演化的项目漏洞密度相差很大,从 2.1 漏洞每千行代码 (大展) 到 202 (po)2006 年 6 月,演变到 2.7 (大展) 至 206 (po)2010 年 6 月。图 2 显示 SAVD 的演化为每个一年到一年的 14 个项目。两个最高的 SAVD 项目、 phpmyadmin 及大埔,载组的组成主要的跨站点脚本漏洞漏洞,和数百名提交涉及国际化努力,造成数以千计的波动在一两个星期的时间内安全漏洞。图 3 地块 SLOC 和漏洞计数在四年期间的 WordPress。在 2007 年年初,释放WordPress 的消除关于一千的脆弱性;不过添加了新的代码,因此,是新的漏洞。WordPress 派遣证明他们可以编写更安全的软件;然而,也有极少数2007 年后作了更正。这种方法似乎一个项目,并没有一致的安全特性进程。然而,squirrelmail,如图 4 所示在四年期间,一直固定漏洞而不会引入大量的新的错误,甚至作为代码变得越来越大。
正在翻譯中..
C.度量除了计数的漏洞,我们BuildBot配置收集和分析以下软件度量:SLOC,圈复杂度,复杂度和嵌套。而SCA是一个商业静态分析工具,我们的其他度量工具是开放源工具打包的Ubuntu Linux 10.04。圈复杂度和嵌套使用PHP codesniffer 1.10 [ 6 ]计算复杂性用自定义类和一个红宝石脚本提取我们需要的数据。在我们以前的研究中,我们使用sloccount 2.26 [ 25 ]测量行。然而,这个工具返回不一致结果在同一源代码运行多次时,有时不报告结果。因此,我们在这项研究中使用Fortify SCA编码计数,并返回一致的代码行计数的代码,因为它是相同的工具我们用来发现漏洞,我们希望它计数相同的代码,它发现的漏洞。我们还跑在每次修订sloccount作为检查以确保我们BuildBot系统产生相同的结果作为我们以前的研究。SLOC度量从SCA低于那些从sloccount,SCA的行不包括只有括号或声明的行。我们测得的漏洞密度使用静态分析漏洞密度(该)度量[ 7 ]我们使用的结果从加强SCA版5.10来计算该,SCA报告的漏洞和代码行数。这意味着无论是分子分母该不同于原来的研究,这导致了更高的该值是由于更大数量的漏洞发现和较小的代码大小值。自从Fortify SCA也分为类型的漏洞,如交叉—图1。SLOC与漏洞的所有项目的版本表二综合数据基准2007 2008 2009 2010 2006684654 782870 864113 980029 1182917行漏洞17404 24707 24529 23613 19253OWASP Top 10 14742 12467 17970 17623 17389该28.12 22.23 28.38 25.21 19.96跨站脚本和SQL注入,我们还可以测量特定类型的安全漏洞密度。四、综合结论总的代码库的大小为十四项目稳步增长从684654源代码行代码年中1182917行代码中。这个漏洞的数量也在这段时间内增长时间从19253到23613,虽然不稳定,如有是一个大的下降,其次是大幅增加20072008。我们发现,数量之间的关系在一个版本中的漏洞和代码大小大致是图1中的线性和绘制使用对数刻度。集群的数据点通常是不同的版本相同的应用程序。随着漏洞的数量增长比代码的大小,脆弱性密度强烈下降,从每千28.12个漏洞代码行到19.96。表二总结了研究结果这一分析。虽然总体趋势是朝着较低的脆弱性密度,个别项目演变不同,与八项目减少脆弱性的研究和六个项目增加。在我们以前的研究中,只有六项目的脆弱性密度下降。而该下降了八个项目,漏洞总数只有拒绝那些项目四:phpBB,宝,你很聪明,和小松鼠网页电子邮件系统。图2。该发展项目漏洞密度变化很大,从2.1个漏洞每千行代码(大展)202(PO)2006年六月,发展到2.7(大展)206(PO)在六月2010。图2显示了每个该演化十四个项目,每年到一年。两者的该项目最高,phpMyAdmin和PO,包含设置的漏洞主要是跨站点脚本漏洞,并有数百个提交相关的国际化努力,造成了成千上万的波动在一周或2次的漏洞。图3图SLOC和漏洞数量在过去的4年期的WordPress。在2007年初,一个发行WordPress的消除约一千的漏洞;但是随着新代码的添加,新的漏洞。WordPress的贡献者证明他们能写更安全的软件,但是,很少有2007后改正。这种做法似乎不具有一致性的项目的特性过程。然而,小松鼠网页电子邮件系统,如图4所示,持续固定的漏洞超过四年的时间,不引入大量新的错误,即使是代码增长的规模。
正在翻譯中..
其它語言
本翻譯工具支援: 世界語, 中文, 丹麥文, 亞塞拜然文, 亞美尼亞文, 伊博文, 俄文, 保加利亞文, 信德文, 偵測語言, 優魯巴文, 克林貢語, 克羅埃西亞文, 冰島文, 加泰羅尼亞文, 加里西亞文, 匈牙利文, 南非柯薩文, 南非祖魯文, 卡納達文, 印尼巽他文, 印尼文, 印度古哈拉地文, 印度文, 吉爾吉斯文, 哈薩克文, 喬治亞文, 土庫曼文, 土耳其文, 塔吉克文, 塞爾維亞文, 夏威夷文, 奇切瓦文, 威爾斯文, 孟加拉文, 宿霧文, 寮文, 尼泊爾文, 巴斯克文, 布爾文, 希伯來文, 希臘文, 帕施圖文, 庫德文, 弗利然文, 德文, 意第緒文, 愛沙尼亞文, 愛爾蘭文, 拉丁文, 拉脫維亞文, 挪威文, 捷克文, 斯洛伐克文, 斯洛維尼亞文, 斯瓦希里文, 旁遮普文, 日文, 歐利亞文 (奧里雅文), 毛利文, 法文, 波士尼亞文, 波斯文, 波蘭文, 泰文, 泰盧固文, 泰米爾文, 海地克里奧文, 烏克蘭文, 烏爾都文, 烏茲別克文, 爪哇文, 瑞典文, 瑟索托文, 白俄羅斯文, 盧安達文, 盧森堡文, 科西嘉文, 立陶宛文, 索馬里文, 紹納文, 維吾爾文, 緬甸文, 繁體中文, 羅馬尼亞文, 義大利文, 芬蘭文, 苗文, 英文, 荷蘭文, 菲律賓文, 葡萄牙文, 蒙古文, 薩摩亞文, 蘇格蘭的蓋爾文, 西班牙文, 豪沙文, 越南文, 錫蘭文, 阿姆哈拉文, 阿拉伯文, 阿爾巴尼亞文, 韃靼文, 韓文, 馬來文, 馬其頓文, 馬拉加斯文, 馬拉地文, 馬拉雅拉姆文, 馬耳他文, 高棉文, 等語言的翻譯.
- 来多长时间了
- حناااا رجال مـَٓـَٓـَٓـََٓٓـَٓـَٓـاٱ تعر
- 提撥金額
- 承诺
- 我问你来多长时间了
- 外婆
- scrie pe fiecare petala cate un numar ma
- 我的妈妈很为我骄傲
- 虾米
- خوشگل خانوم
- scrie pe fiecare petala cate un numar ma
- 贵公司的机床在使用过程中,出现以下情况,请逐一回复:Z轴在加工过程中,下降速度不
- Грузы, весом до 150 кг.
- 我发中文你能翻译吗?
- 戴隐形眼镜,眼睛干涩,眼药水
- 因为我在想你
- 在人體結構中的免疫系統可以保護身體免受感染,包含了所有產生對抗潛在致病原防衛作用
- QQ邮箱回复删除更多AW: AW: AW: AW: AW: 回复:AW: AW:
- U are talking with my girlfriend right
- kandung tiri
- 带状疱疹
- Madami ka siguro ibang babae
- 你能看懂中文吗?
- Продължение
