Premium
Privacy and security constraints for code contributions
Author(s) -
Andrade Rodrigo,
Borba Paulo
Publication year - 2020
Publication title -
software: practice and experience
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.437
H-Index - 70
eISSN - 1097-024X
pISSN - 0038-0644
DOI - 10.1002/spe.2872
Subject(s) - computer science , domain (mathematical analysis) , computer security , code (set theory) , vulnerability (computing) , benchmark (surveying) , source code , static program analysis , software engineering , security policy , software , software development , set (abstract data type) , programming language , mathematical analysis , mathematics , geodesy , geography
Summary In collaborative software development, developers submit their contributions to repositories that are used to integrate code from various collaborators. To avoid privacy and security issues, code contributions are often reviewed before integration. Although careful manual code review can detect such issues, it might be time‐consuming, expensive, and error‐prone. Automatic analysis tools can also detect privacy and security issues, but they often demand significant developer effort, or are domain specific, considering fixed framework specific vulnerability sources and sinks. To reduce these problems, in this paper we propose the Salvum policy language to support the specification of constraints that help to protect sensitive information from being inadvertently accessed by specific code contributions. We implement a tool that automatically checks Salvum policies for systems of different technical domains. We also investigate whether Salvum can find policy violations for a number of open‐source projects. We find evidence that Salvum helps to detect violations even for well‐supported and highly active projects. Moreover, our tool helps to find 80 violations in benchmark projects.