Analysis of Java's Common Vulnerabilities and Exposures in GitHub's Open-Source Projects

Abstract

Java developers rely on code reusability because of its time and effort reduction advantage. However, they are exposed to vulnerabilities in publicly available open-source software (OSS) projects. This study employed a multi-stage research approach to investigate the extent to which open-source Java projects are secured. The research process includes text analysis of Java’s Common Vulnerabilities and Exposures (CVE) descriptions and static code analysis using GitHub’s CodeQL. This study found (a) cross-site scripting, (b) buffer overflow (though analyzed as array index out of bounds), (c) data deserialization, (d) input non-validation for an untrusted object, and (e) validation method bypass as the prevalent Java’s vulnerabilities from the MITRE CVEs. The static code analysis of the compatible seven (7) Java projects out of the 100 top projects cloned from GitHub revealed a 71.4% presence of the array index out-of-bounds vulnerability.