Secure code is one of the key parameters which must be taken care while software is being developed. Inspecting the source code at the earlier stages is always a better approach. Inspection involves carefully examining the source code for any flaws which may cause problems in the later stage of the software life cycle. The Vulnerability is a kind of weakness or security flaws in code that can be exploited by an attacker to perform unauthorized actions. A vulnerable code will lead to severe threats to the security of software. In this paper, we have investigated the source code of a well-known open source software (OSS) projects written in C and C++ programming language and figure out the presence of vulnerability in the software. The results also indicate that the vulnerabilities in the source code have shown an increasing trend with the lines of code (LOC). It pointed to the fact that addition of new features or change request into the OSS project will cause an increase in the vulnerability as well. It gives significant implication to the developers or project managers of OSS projects to not deny the existence of security flaws in the software as the software evolves. The obtained results will also help the project managers and developers to measure the state of software.

Open Source Software, Software Quality, Hits, Flawfinder, Vulnerability, Code Scanning tools

[1] Younan, Y., W. Joosen, and F. Piessens. "Code Injection in C and C++: A Survey of Vulnerabilities and Countermeasures (Tech. Rep. No. CW 386)." Leuven, Belgium: Departement Computerwetenschappen, Katholieke Universiteit Leuven (2004)
[2] Piessens, Frank. "A taxonomy of causes of software vulnerabilities in internet software." Supplementary Proceedings of the 13th International Symposium on Software Reliability Engineering. 2002.
[3] “Glossary.” Risk Management & Information Security Management Systems - ENISA, 20 Jan. 2016, www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/glossary#G52.
[4] Abbott, Robert P., et al. Security analysis and enhancements of computer operating systems. No. NBSIR-76-1041. NATIONAL BUREAU OF STANDARDS WASHINGTONDC INST FOR COMPUTER SCIENCES AND TECHNOLOGY, 1976.
[5] Aslam, Taimur. "A taxonomy of security faults in the unix operating system." Master`s thesis, Purdue University 199.5 (1995).
[6] Yamaguchi, Fabian, et al. "Chucky: Exposing missing checks in source code for vulnerability discovery." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013.
[7] Ball, Thomas, et al. "Thorough static analysis of device drivers." ACM SIGOPS Operating Systems Review 40.4 (2006): 73-85.
[8] DeKok, Alan. "PScan: A limited problem scanner for C source files." (2013).
[9] Evans, David, and David Larochelle. "Improving security using extensible lightweight static analysis." IEEE software 1 (2002): 42-51.
[10] Kernighan, Brian W., and M. Dennis. "Ritchie. The C Programming Language." (1988).
[11] Stroustrup, Bjarne. The C++ programming language. Pearson Education India, 2000.
[12] HeapOverflow:https://www.owasp.org/index.php/Testing_for_Heap_Overflow,StackOverflow:https://www.owasp.org/index.php/Testing_for_Stack_Overflow,FormatString:https://www.owasp.org/index.php/Testing_for_Format_String .
[13] Conover, Matt. "w00w00 on heap overflows." (1999).
[14] Intel Corporation. IA-32 Intel Architecture Software Developer’s Manual Volume 1: Basic Architecture, 2001. Order Nr 245470.
[15] scut. Exploiting format string vulnerabilities. http://www.team-teso.net/articles/formatstring/, 2001
[16] IDA PRO, https://www.hex-rays.com/products/ida/overview.html
[17] Brumley, David, et al. "RICH: Automatically protecting against integer-based vulnerabilities." Department of Electrical and Computing Engineering (2007): 28.
[18] Zitser, Misha, Richard Lippmann, and Tim Leek. "Testing static analysis tools using exploitable buffer overflows from open source code." ACM SIGSOFT Software Engineering Notes. Vol. 29. No. 6. ACM, 2004.
[19] Viega, John, et al. "ITS4: A static vulnerability scanner for C and C++ code." Computer Security Applications, 2000. ACSAC`00. 16th Annual Conference. IEEE, 2000.
[20] Flawfindetr: https://dwheeler.com/flawfinder/flawfinder.pdf and A book entitled as “Secure Programming HOWTO” by David A. Wheeler.
[21] Fatima, Anum, Shazia Bibi, and Rida Hanif. "Comparative study on static code analysis tools for C/C++." Applied Sciences and Technology (IBCAST), 2018 15th International Bhurban Conference on. IEEE, 2018.
[22] GIT HUB, https://github.com/mysql/mysql-server.