A study on the use of vulnerabilities databases in software engineering domain

Published:

Abstract: Over the last decade several software vulnerability databases have been introduced to guide researchers and developers in developing more secure and reliable software. While the Software Engineering research community is increasingly becoming aware of these vulnerabilities databases, no comprehensive literature survey exists that studies how they are used in software development. The objective of our survey is to provide insights on how the software vulnerability database (SVDBs) research landscape has evolved over the past 17 years and outline some open challenges associated with their use in non-security domain. More specifically, we introduce a semi-automated methodology based on topic modeling, to discover relevant topics from our dataset of 99 relevant SE research articles. We find 24 topics discussing the use of SVDBs in SE domain. The results shows that i) topics describing the use of SVDBs range from security empirical (case) studies to tools for generating security test cases; ii) the majority of the surveyed papers cover a limited number of software engineering contributions or activities (e.g., maintenance) and iii) that most of the surveyed articles rely on only one SVDB as their knowledge source. Dataset and results are available at https://github.com/isultane/svdbs_dataset