“Software security is undoubtedly a major concern in today’s software engineering. Although the level of awareness of security issues is often high, practical experiences show that neither preventive actions nor reactions to possible issues are always addressed properly in reality. By analyzing large quantities of commits in the open-source communities, typical security-related activities can be categorized, as well as we can explore language peculiarities to learn and improve our security management processes and practices.
With the help of the Software Heritage Graph Dataset, we investigated the commits of two of the most popular script language - Python and JavaScript - projects collected from public repositories and identified those that might refer to security-related changes, vulnerability fixes in particular. On the one hand, we identified the types of security issues (in terms of CWE groups) referred to in commit messages and compared their numbers within the two communities. On the other hand, we examined the average time elapsing between the publish date of a security issue and the first reference to it in a commit. We found that there is a large intersection in the issue types addressed by the two communities, but most prevalent issues are specific to a language. Moreover, neither the JavaScript nor the Python community reacts very fast to appearing security issues.”