Analyzing the Evolution of Source Code to Predict Vulnerabilities

Even though there are numerous prior studies concentrating on finding and forecasting vulnerability, the research community have less attention to the aftermath of vulnerability remedies represented in a code. Our primary goal was to understand better what happens to source code following vulnerability remediation via source code and repository analysis. For this research, primarily two distinct data sets were constructed. A dataset containing vulnerability fixes data and a dataset with the data related to the bug fixes. In this context, we have defined the vulnerabilities as the entries that are associated with Common Weakness Enumeration(CWE) entries. Accordingly, in our research, we examined the 80 most popular open-source javascript-based repositories, which contained more than 401K commits, to conduct a timeline analysis based on vulnerability fixes and introductions. Based on these commits, we have extracted source files and generated corresponding Abstract Syntax Tree (AST) for each file. Following that, we have introduced a way to calculate an entropy value on AST and a simple algorithm to identify a significant instance based on that value. Moreover, we have shown that fixing a vulnerability in code makes a considerable change in the code AST than a bug fix by carrying out hypothesis testing. Additionally, we demonstrated that code churn significantly increases following the vulnerability fix.