{"id":"https://openalex.org/W4388483853","doi":"https://doi.org/10.1109/esem56168.2023.10304852","title":"Security Defect Detection via Code Review: A Study of the OpenStack and Qt Communities","display_name":"Security Defect Detection via Code Review: A Study of the OpenStack and Qt Communities","publication_year":2023,"publication_date":"2023-10-26","ids":{"openalex":"https://openalex.org/W4388483853","doi":"https://doi.org/10.1109/esem56168.2023.10304852"},"language":"en","primary_location":{"id":"doi:10.1109/esem56168.2023.10304852","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem56168.2023.10304852","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5102968371","display_name":"Jiaxin Yu","orcid":"https://orcid.org/0000-0002-0297-4605"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Jiaxin Yu","raw_affiliation_strings":["School of Computer Science, Wuhan University,Wuhan,China","Hubei Luojia Laboratory, Wuhan, China","School of Computer Science, Wuhan University, Wuhan, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University,Wuhan,China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"Hubei Luojia Laboratory, Wuhan, China","institution_ids":[]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5109379548","display_name":"Liming Fu","orcid":"https://orcid.org/0000-0002-2891-0116"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Liming Fu","raw_affiliation_strings":["School of Computer Science, Wuhan University,Wuhan,China","School of Computer Science, Wuhan University, Wuhan, China","Hubei Luojia Laboratory, Wuhan, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University,Wuhan,China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"Hubei Luojia Laboratory, Wuhan, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5049939779","display_name":"Peng Liang","orcid":"https://orcid.org/0000-0002-2056-5346"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Peng Liang","raw_affiliation_strings":["School of Computer Science, Wuhan University,Wuhan,China","School of Computer Science, Wuhan University, Wuhan, China","Hubei Luojia Laboratory, Wuhan, China"],"affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University,Wuhan,China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"Hubei Luojia Laboratory, Wuhan, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5025562598","display_name":"Amjed Tahir","orcid":"https://orcid.org/0000-0001-9454-1366"},"institutions":[{"id":"https://openalex.org/I51158804","display_name":"Massey University","ror":"https://ror.org/052czxv31","country_code":"NZ","type":"education","lineage":["https://openalex.org/I51158804"]}],"countries":["NZ"],"is_corresponding":false,"raw_author_name":"Amjed Tahir","raw_affiliation_strings":["School of Mathematical and Computational Sciences, Massey University,Palmerston North,New Zealand","School of Mathematical and Computational Sciences, Massey University, Palmerston North, New Zealand"],"affiliations":[{"raw_affiliation_string":"School of Mathematical and Computational Sciences, Massey University,Palmerston North,New Zealand","institution_ids":["https://openalex.org/I51158804"]},{"raw_affiliation_string":"School of Mathematical and Computational Sciences, Massey University, Palmerston North, New Zealand","institution_ids":["https://openalex.org/I51158804"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5052783352","display_name":"Mojtaba Shahin","orcid":"https://orcid.org/0000-0002-9081-1354"},"institutions":[{"id":"https://openalex.org/I82951845","display_name":"RMIT University","ror":"https://ror.org/04ttjf776","country_code":"AU","type":"education","lineage":["https://openalex.org/I82951845"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Mojtaba Shahin","raw_affiliation_strings":["School of Computing Technologies, RMIT University,Melbourne,Australia","School of Computing Technologies, RMIT University, Melbourne, Australia"],"affiliations":[{"raw_affiliation_string":"School of Computing Technologies, RMIT University,Melbourne,Australia","institution_ids":["https://openalex.org/I82951845"]},{"raw_affiliation_string":"School of Computing Technologies, RMIT University, Melbourne, Australia","institution_ids":["https://openalex.org/I82951845"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5102968371"],"corresponding_institution_ids":["https://openalex.org/I37461747"],"apc_list":null,"apc_paid":null,"fwci":3.6711,"has_fulltext":false,"cited_by_count":8,"citation_normalized_percentile":{"value":0.94050213,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"12"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.9987000226974487,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9983999729156494,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7139632105827332},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.619967520236969},{"id":"https://openalex.org/keywords/code-review","display_name":"Code review","score":0.6093428134918213},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.6008836030960083},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5527940988540649},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.53557950258255},{"id":"https://openalex.org/keywords/software-bug","display_name":"Software bug","score":0.5221936106681824},{"id":"https://openalex.org/keywords/standardization","display_name":"Standardization","score":0.5016791820526123},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.4669073224067688},{"id":"https://openalex.org/keywords/security-bug","display_name":"Security bug","score":0.4631720185279846},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.4247535467147827},{"id":"https://openalex.org/keywords/static-program-analysis","display_name":"Static program analysis","score":0.23666125535964966},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.21914276480674744},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.1958838403224945},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.1952686905860901},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.07025587558746338}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7139632105827332},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.619967520236969},{"id":"https://openalex.org/C150292731","wikidata":"https://www.wikidata.org/wiki/Q1342704","display_name":"Code review","level":5,"score":0.6093428134918213},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.6008836030960083},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5527940988540649},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.53557950258255},{"id":"https://openalex.org/C1009929","wikidata":"https://www.wikidata.org/wiki/Q179550","display_name":"Software bug","level":3,"score":0.5221936106681824},{"id":"https://openalex.org/C188087704","wikidata":"https://www.wikidata.org/wiki/Q369577","display_name":"Standardization","level":2,"score":0.5016791820526123},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.4669073224067688},{"id":"https://openalex.org/C131275738","wikidata":"https://www.wikidata.org/wiki/Q7445023","display_name":"Security bug","level":5,"score":0.4631720185279846},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.4247535467147827},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.23666125535964966},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.21914276480674744},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.1958838403224945},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.1952686905860901},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.07025587558746338},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.0},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/esem56168.2023.10304852","is_oa":false,"landing_page_url":"https://doi.org/10.1109/esem56168.2023.10304852","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/17","score":0.4399999976158142,"display_name":"Partnerships for the goals"}],"awards":[{"id":"https://openalex.org/G3792353997","display_name":null,"funder_award_id":"62172311","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":40,"referenced_works":["https://openalex.org/W1501321335","https://openalex.org/W1628063087","https://openalex.org/W1808285885","https://openalex.org/W1971796909","https://openalex.org/W1981425990","https://openalex.org/W1986222079","https://openalex.org/W2015696622","https://openalex.org/W2019257047","https://openalex.org/W2053154970","https://openalex.org/W2096274199","https://openalex.org/W2098673848","https://openalex.org/W2108769867","https://openalex.org/W2134827012","https://openalex.org/W2139339877","https://openalex.org/W2413171555","https://openalex.org/W2510378003","https://openalex.org/W2543971965","https://openalex.org/W2563377808","https://openalex.org/W2575948046","https://openalex.org/W2618852163","https://openalex.org/W2763622888","https://openalex.org/W2794494697","https://openalex.org/W2808429234","https://openalex.org/W3010410794","https://openalex.org/W3022798049","https://openalex.org/W3036270494","https://openalex.org/W3094463643","https://openalex.org/W3116842536","https://openalex.org/W3150814957","https://openalex.org/W3160070616","https://openalex.org/W3195999617","https://openalex.org/W4206767299","https://openalex.org/W4220908965","https://openalex.org/W4280612920","https://openalex.org/W4283756030","https://openalex.org/W4285505145","https://openalex.org/W4321093054","https://openalex.org/W4360948905","https://openalex.org/W6636572521","https://openalex.org/W6731724215"],"related_works":["https://openalex.org/W1978034799","https://openalex.org/W2007984522","https://openalex.org/W4384518368","https://openalex.org/W2141388993","https://openalex.org/W2155353733","https://openalex.org/W2504659933","https://openalex.org/W2039943835","https://openalex.org/W2293245356","https://openalex.org/W2560421591","https://openalex.org/W1566131087"],"abstract_inverted_index":{"Background:":[0],"Despite":[1],"the":[2,113,154,175,181,187,190,193],"widespread":[3],"use":[4],"of":[5,153,236],"automated":[6,217],"security":[7,16,47,79,88,140,164,199,209,229],"defect":[8,89,182],"detection":[9,51,61,90,218],"tools,":[10,219],"software":[11,208,246],"projects":[12,111],"still":[13],"contain":[14],"many":[15],"defects":[17,141],"that":[18,138,206],"could":[19],"result":[20],"in":[21,36,112,146],"serious":[22],"damage.":[23],"Such":[24],"tools":[25,58],"are":[26,142,192],"largely":[27],"context-insensitive":[28],"and":[29,59,74,115,173,184,189,227,231],"may":[30],"not":[31,143,197],"cover":[32],"all":[33],"possible":[34],"scenarios":[35],"testing":[37],"potential":[38],"issues,":[39],"which":[40],"makes":[41],"them":[42],"susceptible":[43],"to":[44,85,160,169,225],"missing":[45],"complex":[46],"defects.":[48,80,200],"Hence,":[49],"thorough":[50],"entails":[52],"a":[53,72,221],"synergistic":[54],"cooperation":[55],"between":[56,186],"these":[57],"human-intensive":[60],"techniques,":[62],"including":[63],"code":[64,92,105,147,214,240],"review.":[65,93],"Code":[66],"review":[67,106,122,215,241],"is":[68],"widely":[69],"recognized":[70],"as":[71,132],"crucial":[73],"effective":[75],"practice":[76],"for":[77,196,244],"identifying":[78,226],"Aim:":[81],"This":[82],"work":[83],"aims":[84],"empirically":[86],"investigate":[87],"through":[91],"Method:":[94],"To":[95],"this":[96],"end,":[97],"we":[98,128],"conducted":[99],"an":[100],"empirical":[101],"study":[102],"by":[103,125],"analyzing":[104],"comments":[107,123,131],"derived":[108],"from":[109],"four":[110],"OpenStack":[114],"Qt":[116],"communities.":[117],"Through":[118],"manually":[119],"checking":[120],"20,995":[121],"obtained":[124],"keyword-based":[126],"search,":[127],"identified":[129],"614":[130],"security-related.":[133],"Results:":[134],"Our":[135,202],"results":[136,204],"show":[137],"(1)":[139,207],"prevalently":[144],"discussed":[145],"review,":[148],"(2)":[149,232],"more":[150,222],"than":[151],"half":[152],"reviewers":[155],"provided":[156],"explicit":[157],"fixing":[158,180],"strategies/solutions":[159],"help":[161],"developers":[162,167],"fix":[163],"defects,":[165,230],"(3)":[166],"tend":[168],"follow":[170],"reviewers'":[171],"suggestions":[172],"action":[174],"changes,":[176],"(4)":[177],"Not":[178],"worth":[179],"now":[183],"Disagreement":[185],"developer":[188],"reviewer":[191],"main":[194],"causes":[195],"resolving":[198],"Conclusions:":[201],"research":[203],"demonstrate":[205],"practices":[210],"should":[211],"combine":[212],"manual":[213],"with":[216],"achieving":[220],"comprehensive":[223],"coverage":[224],"addressing":[228],"promoting":[233],"appropriate":[234],"standardization":[235],"practitioners'":[237],"behaviors":[238],"during":[239],"remains":[242],"necessary":[243],"enhancing":[245],"security.":[247]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":6},{"year":2024,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}