An Exploratory Study on the Relationship of Smells and Design Issues with Software Vulnerabilities

Software vulnerabilities are a major concern for companies as
they must ensure that their data is protected from security
breaches. The latter can result in confidential and sensitive data
being lost, corrupted, modified, or destroyed and, subsequently,
have serious consequences such as financial loss and a damaged
reputation for the company. Many software companies strive
to practice secure coding practices as a preventive measure or
bring potential vulnerabilities to light before the software is
deployed. Traditionally, metrics have been widely used to uncover
vulnerabilities. However, many studies have recently used code
smells to disclose vulnerabilities. This preliminary study explores
the relationship between smells, design issues, and software
vulnerabilities. As smells and design issues are indicators of deeper
problems in the software, establishing their relationship with
vulnerabilities can be helpful for vulnerability prediction. We
analyzed 561 versions of nine open-source software by exploring the
smells and design issues in vulnerable and non-vulnerable classes.
We found that a subset of smells and design issues have a statistically
significant relationship with the vulnerable classes. On the other
hand, after performing a manual analysis using the vulnerability
descriptions and vulnerability fix-commit details, we found no
indication that smells or design issues induce vulnerabilities. In
addition, we found that smells and design issues were still present
in those code segments even after resolving the vulnerabilities.