Abstract Context Security issues in Open-Source (OS) software systems emerge from everyday coding activities carried out by developers. As security best practices evolve toward “shift-left” paradigms—emphasizing early and continuous integration of security into the development process—understanding how these issues are introduced and fixed has become increasingly important. Objective Our primary goal is to study the spread and evolution of security issues that lie in the source code of OS Python software systems at commit level. Method We conducted a mining study in which we quantitatively analyzed the commit histories of 361 OS Python software systems, whose repositories were publicly available on GitHub , for a total of 380,931 commits analyzed. To identify security issues at the commit level, we used SonarQube , a popular and widely used both in academic and industrial contexts Static Application Security Testing ( SAST ) tool. Results We observed that security issues are spread in OS Python software systems (on average, there are about 14 security issues per commit) and tend to survive for 11 days and 14 commits. Critical security issues, despite their high severity level, are the most spread and tend to survive the most. Furthermore, we noticed that 55 kinds of security issues—belonging to 62 OWASP Top 10 and CWE security classes—were introduced, and the top six (per number of introductions) are mostly critical and account for 77% of all introduced security issues. Conclusions Python developers need to give utmost importance to security issues, particularly critical ones. To that end, we can suggest developers that use secure coding practices, automated tools, or even DevSecOps to limit/avoid the introduction of security issues into their source code or fix them as soon as possible.
Nocera et al. (Tue,) studied this question.