Print Email Facebook Twitter Method-Level Data in GitHub Pull Request Descriptions Title Method-Level Data in GitHub Pull Request Descriptions: Effects on Developers' Prioritization and Facilitation of Fixing Vulnerable Dependencies Author Popovici, Tudor (TU Delft Electrical Engineering, Mathematics and Computer Science; TU Delft Software Technology) Contributor Keshani, M. (mentor) Proksch, S. (mentor) Katsifodimos, A (graduation committee) Degree granting institution Delft University of Technology Programme Computer Science and Engineering Project CSE3000 Research Project Date 2021-07-02 Abstract Modern software development involves the usage of external third-party software projects as direct dependencies. Nonetheless, developers of a dependant project have no control over critical aspects such as development and testing of the dependency. This can put the reliant repositories at risk through vulnerabilities, which can be exploited by malicious attackers. Automated dependency maintenance tools can mitigate the risks, but have an observed shortcoming: they have decreased vulnerability detection accuracies due to their package-level analysis approach.In this study, a total of 6.717 active projects hosted on GitHub have been analysed using a method-level vulnerability analysis, discovering 24 projects affected by 4 distinct exposures. The developers have been notified through GitHub Pull Requests, which contained the methods in their projects that called vulnerable dependency methods. This was done with the aim of finding answers to: (i) whether the provided method call information makes developers prioritize the task of fixing vulnerabilities, (ii) whether the fine-grained information facilitates the exposures handling process.Developers' reactions to the method-level data were collected through means of a survey. Collected data revealed that the fine-grained information in the PRs did have a positive effect on the developers' prioritization of fixing the vulnerable dependencies. Moreover, the provided data also facilitated the maintainers' fix process to some extent. However, due to the limited amount of recorded responses, the answer to the research question could not be concluded. Subject Dependency AnalysisMethod-LevelVulnerabilityPackage-LevelDependabotGitHubPull RequestsDependencyDependant To reference this document use: http://resolver.tudelft.nl/uuid:ccdc8271-b2e7-459a-af92-348509a514e5 Part of collection Student theses Document type bachelor thesis Rights © 2021 Tudor Popovici Files PDF Bachelor_Thesis_Tudor_Popovici.pdf 274.74 KB Close viewer /islandora/object/uuid:ccdc8271-b2e7-459a-af92-348509a514e5/datastream/OBJ/view