Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Finding 709 Defects in 258 Projects: An Experience Report on Applying CodeQL to Open-Source Embedded Software (Experience Paper) -- Extended Report

Mingjie Shen, Akul Abhilash Pillai, Brian A. Yuan, James C. Davis, Aravind Machiry

TL;DR

This paper investigates the prevalence and effectiveness of static analysis for Open-Source Embedded Software (EMBOSS) by applying CodeQL across 258 EMBOSS projects. It combines automated CI-workflow analysis with developer surveys and a targeted manual review to quantify defects found (709 total, 535 security-related) and the acceptance of fixes and CI integration. Despite prior concerns about false positives, CodeQL demonstrated strong precision (high among sampled warnings) and notable developer engagement, including 37 merged CodeQL workflows and two CVEs. The findings advocate broader adoption of modern SAST tools in EMBOSS, with practical guidance on tailoring queries to embedded contexts and integrating SAST into CI pipelines to reduce security risk in critical embedded ecosystems.

Abstract

In this experience paper, we report on a large-scale empirical study of Static Application Security Testing (SAST) in Open-Source Embedded Software (EMBOSS) repositories. We collected a corpus of 258 of the most popular EMBOSS projects, and then measured their use of SAST tools via program analysis and a survey (N=25) of their developers. Advanced SAST tools are rarely used -- only 3% of projects go beyond trivial compiler analyses. Developers cited the perception of ineffectiveness and false positives as reasons for limited adoption. Motivated by this deficit, we applied the state-of-the-art (SOTA) CodeQL SAST tool and measured its ease of use and actual effectiveness. Across the 258 projects, CodeQL reported 709 true defects with a false positive rate of 34%. There were 535 (75%) likely security vulnerabilities, including in major projects maintained by Microsoft, Amazon, and the Apache Foundation. EMBOSS engineers have confirmed 376 (53%) of these defects, mainly by accepting our pull requests. Two CVEs were issued. Based on these results, we proposed pull requests to include our workflows as part of EMBOSS Continuous Integration (CI) pipelines, 37 (71% of active repositories) of these are already merged. In summary, we urge EMBOSS engineers to adopt the current generation of SAST tools, which offer low false positive rates and are effective at finding security-relevant defects.

Finding 709 Defects in 258 Projects: An Experience Report on Applying CodeQL to Open-Source Embedded Software (Experience Paper) -- Extended Report

TL;DR

This paper investigates the prevalence and effectiveness of static analysis for Open-Source Embedded Software (EMBOSS) by applying CodeQL across 258 EMBOSS projects. It combines automated CI-workflow analysis with developer surveys and a targeted manual review to quantify defects found (709 total, 535 security-related) and the acceptance of fixes and CI integration. Despite prior concerns about false positives, CodeQL demonstrated strong precision (high among sampled warnings) and notable developer engagement, including 37 merged CodeQL workflows and two CVEs. The findings advocate broader adoption of modern SAST tools in EMBOSS, with practical guidance on tailoring queries to embedded contexts and integrating SAST into CI pipelines to reduce security risk in critical embedded ecosystems.

Abstract

In this experience paper, we report on a large-scale empirical study of Static Application Security Testing (SAST) in Open-Source Embedded Software (EMBOSS) repositories. We collected a corpus of 258 of the most popular EMBOSS projects, and then measured their use of SAST tools via program analysis and a survey (N=25) of their developers. Advanced SAST tools are rarely used -- only 3% of projects go beyond trivial compiler analyses. Developers cited the perception of ineffectiveness and false positives as reasons for limited adoption. Motivated by this deficit, we applied the state-of-the-art (SOTA) CodeQL SAST tool and measured its ease of use and actual effectiveness. Across the 258 projects, CodeQL reported 709 true defects with a false positive rate of 34%. There were 535 (75%) likely security vulnerabilities, including in major projects maintained by Microsoft, Amazon, and the Apache Foundation. EMBOSS engineers have confirmed 376 (53%) of these defects, mainly by accepting our pull requests. Two CVEs were issued. Based on these results, we proposed pull requests to include our workflows as part of EMBOSS Continuous Integration (CI) pipelines, 37 (71% of active repositories) of these are already merged. In summary, we urge EMBOSS engineers to adopt the current generation of SAST tools, which offer low false positive rates and are effective at finding security-relevant defects.
Paper Structure (48 sections, 12 figures, 11 tables)

This paper contains 48 sections, 12 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Open-Source Embedded Software (EMBOSS)
  4. Definition of Embedded Software and EMBOSS
  5. Measuring Project Importance
  6. Static Application Security Testing (SAST)
  7. SAST vs. DAST in Embedded Software
  8. Landscape of SAST Tools
  9. How SAST is Applied in Modern OSS
  10. Motivation
  11. Prevalence Study
  12. Corpus of Major EMBOSS Projects
  13. EMBOSS from GitHub Search
  14. EMBOSS from Index of RTOSes
  15. Analysis of Corpus
  16. ...and 33 more sections

Figures (12)

  • Figure 1: Two-pronged approach to collecting embedded software dataset. The GitHub search (left side) was performed on April 8, 2023. The osrtos.com search (right side) was performed on June 7, 2023.
  • Figure 2: Summary of our developer survey on the use of SAST tools.
  • Figure 3: Histograms (left axis) and CCDFs (right axis) of # of total and security-relevant defects in a repository. The CCDF values at 0 defects indicate that defects are discovered in 64% of repositories, and security-relevant defects are discovered in 56% of repositories.
  • Figure 4: Top-10 CodeQL queries by security-relevant defects found.
  • Figure 5: CCDF of the severity of security defects.
  • ...and 7 more figures