C. MetricsIn addition to counting v

C. Metrics
In addition to counting vulnerabilities, our BuildBot configuration
collected and analyzed the following software
metrics: SLOC, cyclomatic complexity, and nesting complexity.
While SCA is a commercial static analysis tool, our
other metric tools were open source tools packaged with
Ubuntu Linux 10.04. Cyclomatic Complexity and Nesting
Complexity were computed using PHP CodeSniffer 1.10 [6]
with custom classes and a Ruby script to extract only the
data we needed.
In our previous study, we used SLOCCount 2.26 [25]
to measure SLOC. However, this tool returned inconsistent
results when run multiple times on the same source code,
sometimes failing to report results at all. Therefore, we
used Fortify SCA to count code in this study, which returns
consistent SLOC counts for code, and as it is the same tool
that we used to find vulnerabilities, we expect that it counts
the same code that it finds vulnerabilities in. We still run
SLOCCount on each revision as part of a check to ensure
that our BuildBot-based system produced the same results as
our previous study. SLOC metrics from SCA are lower than
those from SLOCCount, as SCA SLOC does not include
lines with only braces or declarations.
We measured vulnerability density using the static analysis
vulnerability density (SAVD) metric [7] We used results
from Fortify SCA version 5.10 to compute SAVD, as SCA
reported both the number of vulnerabilities and SLOC. This
means that both the numerator and denominator of SAVD
differ from the original study, which results in much higher
SAVD values due to both the larger number of vulnerabilities
found and the smaller code size values. Since Fortify SCA
also categorized vulnerabilities into types such as cross-
Figure 1. SLOC vs. Vulnerabilities for All Project Versions
Table II
AGGREGATE DATA
Datum 2006 2007 2008 2009 2010
SLOC 684,654 782,870 864,113 980,029 1,182,917
Vulnerabilities 19,253 17,404 24,529 24,707 23,613
OWASP Top 10 14,742 12,467 17,970 17,623 17,389
SAVD 28.12 22.23 28.38 25.21 19.96
site scripting and SQL injection, we could also measure
vulnerability density for particular types of vulnerabilities.
IV. AGGREGATE FINDINGS
The size of the aggregate code base for all fourteen
projects steadily grew from 684,654 sources line of code
in mid-2006 to 1,182,917 lines of code in mid-2010. The
number of vulnerabilities also grew throughout that time
period from 19,253 to 23,613, though not steadily, as there
was a large decrease in 2007 followed by a large increase
in 2008. We found that the relationship between the number
of vulnerabilities in a version and the code size was roughly
linear and plotted in Figure 1 using a logarithmic scale.
Clusters of data points are typically different versions from
the same application. As the number of vulnerabilities grew
slower than the the size of the code, vulnerability density
decreased strongly from 28.12 vulnerabilities per thousand
lines of code to 19.96. Table II summarizes the findings of
this analysis.
While the overall trend was towards lower vulnerability
density, individual projects evolved differently, with eight
projects decreasing vulnerability density over the study and
six projects increasing. In our previous study, only six
projects had declining vulnerability densities. While SAVD
declined for eight projects, the total number of vulnerabilities
only declined for four of those projects: phpbb, po,
smarty, and squirrelmail.
Figure 2. SAVD Evolution by Project
Vulnerability densities varied widely, from 2.1 vulnerabilities
per thousand lines of code (achievo) to 202 (po)
in June 2006, evolving to 2.7 (achievo) to 206 (po) in
June 2010. Figure 2 shows the evolution of SAVD for each
of the fourteen projects from year to year. Both of the
highest SAVD projects, phpmyadmin and po, contained a
set of vulnerabilities made up mostly of cross-site scripting
vulnerabilities, and had hundreds of commits related to internationalization
efforts, which caused swings of thousands
of vulnerabilities within a week or two at times.
Figure 3 plots the SLOC and vulnerability counts for
WordPress over the four-year period. In early 2007, a release
of WordPress eliminated about a thousand vulnerabilities;
however as new code was added, so were new vulnerabilities.
WordPress contributors demonstrated that they can
write more secure software; however, there are very few
corrections being made after 2007. This approach seems
characteristic of a project that does not have consistent security
processes. However, squirrelmail, as shown in Figure 4,
consistently fixed vulnerabilities over the four year period,
without introducing a large number of new errors, even as
the code grew in size.