{"id":"https://openalex.org/W4407392582","doi":"https://doi.org/10.1145/3716848","title":"Security Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study","display_name":"Security Weaknesses of Copilot-Generated Code in GitHub Projects: An Empirical Study","publication_year":2025,"publication_date":"2025-02-12","ids":{"openalex":"https://openalex.org/W4407392582","doi":"https://doi.org/10.1145/3716848"},"language":"en","primary_location":{"id":"doi:10.1145/3716848","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3716848","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5111149380","display_name":"Yujia Fu","orcid":null},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Yujia Fu","raw_affiliation_strings":["School of Computer Science, Wuhan University, Wuhan, China","School of Computer Science, Wuhan University, China"],"raw_orcid":"https://orcid.org/0009-0001-3510-8930","affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5049939779","display_name":"Peng Liang","orcid":"https://orcid.org/0000-0002-2056-5346"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Peng Liang","raw_affiliation_strings":["School of Computer Science, Wuhan University, Wuhan, China","School of Computer Science, Wuhan University, China"],"raw_orcid":"https://orcid.org/0000-0002-2056-5346","affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5025562598","display_name":"Amjed Tahir","orcid":"https://orcid.org/0000-0001-9454-1366"},"institutions":[{"id":"https://openalex.org/I51158804","display_name":"Massey University","ror":"https://ror.org/052czxv31","country_code":"NZ","type":"education","lineage":["https://openalex.org/I51158804"]}],"countries":["NZ"],"is_corresponding":false,"raw_author_name":"Amjed Tahir","raw_affiliation_strings":["Massey University, Palmerston North, New Zealand","Massey University, New Zealand"],"raw_orcid":"https://orcid.org/0000-0001-9454-1366","affiliations":[{"raw_affiliation_string":"Massey University, Palmerston North, New Zealand","institution_ids":["https://openalex.org/I51158804"]},{"raw_affiliation_string":"Massey University, New Zealand","institution_ids":["https://openalex.org/I51158804"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5000298412","display_name":"Zengyang Li","orcid":"https://orcid.org/0000-0002-7258-993X"},"institutions":[{"id":"https://openalex.org/I40963666","display_name":"Central China Normal University","ror":"https://ror.org/03x1jna21","country_code":"CN","type":"education","lineage":["https://openalex.org/I40963666"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zengyang Li","raw_affiliation_strings":["School of Computer Science, Central China Normal University, Wuhan, China","School of Computer Science, Central China Normal University, China"],"raw_orcid":"https://orcid.org/0000-0002-7258-993X","affiliations":[{"raw_affiliation_string":"School of Computer Science, Central China Normal University, Wuhan, China","institution_ids":["https://openalex.org/I40963666"]},{"raw_affiliation_string":"School of Computer Science, Central China Normal University, China","institution_ids":["https://openalex.org/I40963666"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052783352","display_name":"Mojtaba Shahin","orcid":"https://orcid.org/0000-0002-9081-1354"},"institutions":[{"id":"https://openalex.org/I82951845","display_name":"RMIT University","ror":"https://ror.org/04ttjf776","country_code":"AU","type":"education","lineage":["https://openalex.org/I82951845"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Mojtaba Shahin","raw_affiliation_strings":["RMIT University, Melbourne, Australia","RMIT University, Australia"],"raw_orcid":"https://orcid.org/0000-0002-9081-1354","affiliations":[{"raw_affiliation_string":"RMIT University, Melbourne, Australia","institution_ids":["https://openalex.org/I82951845"]},{"raw_affiliation_string":"RMIT University, Australia","institution_ids":["https://openalex.org/I82951845"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Jiaxin Yu","orcid":"https://orcid.org/0009-0005-7017-5804"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiaxin Yu","raw_affiliation_strings":["School of Computer Science, Wuhan University, Wuhan, China","School of Computer Science, Wuhan University, China"],"raw_orcid":"https://orcid.org/0009-0005-7017-5804","affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, China","institution_ids":["https://openalex.org/I37461747"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5101882679","display_name":"Jinfu Chen","orcid":"https://orcid.org/0000-0001-7410-9146"},"institutions":[{"id":"https://openalex.org/I37461747","display_name":"Wuhan University","ror":"https://ror.org/033vjfk17","country_code":"CN","type":"education","lineage":["https://openalex.org/I37461747"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jinfu Chen","raw_affiliation_strings":["School of Computer Science, Wuhan University, Wuhan, China","School of Computer Science, Wuhan University, China"],"raw_orcid":"https://orcid.org/0000-0001-7410-9146","affiliations":[{"raw_affiliation_string":"School of Computer Science, Wuhan University, Wuhan, China","institution_ids":["https://openalex.org/I37461747"]},{"raw_affiliation_string":"School of Computer Science, Wuhan University, China","institution_ids":["https://openalex.org/I37461747"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5111149380"],"corresponding_institution_ids":["https://openalex.org/I37461747"],"apc_list":null,"apc_paid":null,"fwci":66.4267,"has_fulltext":false,"cited_by_count":26,"citation_normalized_percentile":{"value":0.99908744,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":"34","issue":"8","first_page":"1","last_page":"34"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.9922000169754028,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10430","display_name":"Software Engineering Techniques and Practices","score":0.9855999946594238,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8236908316612244},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.6523236036300659},{"id":"https://openalex.org/keywords/python","display_name":"Python (programming language)","score":0.6451065540313721},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.5610381960868835},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.5127197504043579},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.47440171241760254},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4603639841079712},{"id":"https://openalex.org/keywords/static-program-analysis","display_name":"Static program analysis","score":0.45214423537254333},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.45131659507751465},{"id":"https://openalex.org/keywords/popularity","display_name":"Popularity","score":0.425870805978775},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.42051732540130615},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.24593347311019897},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.24187934398651123},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.2175447642803192},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.17141130566596985},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.141525000333786},{"id":"https://openalex.org/keywords/security-service","display_name":"Security service","score":0.07654273509979248}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8236908316612244},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.6523236036300659},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.6451065540313721},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.5610381960868835},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.5127197504043579},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.47440171241760254},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4603639841079712},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.45214423537254333},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.45131659507751465},{"id":"https://openalex.org/C2780586970","wikidata":"https://www.wikidata.org/wiki/Q1357284","display_name":"Popularity","level":2,"score":0.425870805978775},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.42051732540130615},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.24593347311019897},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.24187934398651123},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.2175447642803192},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.17141130566596985},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.141525000333786},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.07654273509979248},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.0},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C77805123","wikidata":"https://www.wikidata.org/wiki/Q161272","display_name":"Social psychology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3716848","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3716848","pdf_url":null,"source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G3792353997","display_name":null,"funder_award_id":"62172311","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":53,"referenced_works":["https://openalex.org/W397180395","https://openalex.org/W1981425990","https://openalex.org/W2053154970","https://openalex.org/W2116156538","https://openalex.org/W2162739315","https://openalex.org/W2339664049","https://openalex.org/W2601908482","https://openalex.org/W2770009667","https://openalex.org/W2784876765","https://openalex.org/W2889849786","https://openalex.org/W2942928164","https://openalex.org/W2964232059","https://openalex.org/W2977630600","https://openalex.org/W3033053557","https://openalex.org/W3037099619","https://openalex.org/W3089825636","https://openalex.org/W3177813494","https://openalex.org/W4206767299","https://openalex.org/W4220988989","https://openalex.org/W4225108562","https://openalex.org/W4285734663","https://openalex.org/W4288057765","https://openalex.org/W4292956935","https://openalex.org/W4297632273","https://openalex.org/W4302797994","https://openalex.org/W4308627645","https://openalex.org/W4311887664","https://openalex.org/W4312438588","https://openalex.org/W4312900476","https://openalex.org/W4315815628","https://openalex.org/W4321649710","https://openalex.org/W4323033785","https://openalex.org/W4323651341","https://openalex.org/W4362659486","https://openalex.org/W4366851162","https://openalex.org/W4367672983","https://openalex.org/W4384026520","https://openalex.org/W4384345684","https://openalex.org/W4385412394","https://openalex.org/W4386806783","https://openalex.org/W4386982649","https://openalex.org/W4388090406","https://openalex.org/W4388858772","https://openalex.org/W4391282616","https://openalex.org/W4391307510","https://openalex.org/W4391454585","https://openalex.org/W4391506183","https://openalex.org/W4391912523","https://openalex.org/W4396833115","https://openalex.org/W4400222417","https://openalex.org/W4400680805","https://openalex.org/W6948378433","https://openalex.org/W6967648781"],"related_works":["https://openalex.org/W2469491375","https://openalex.org/W1981466760","https://openalex.org/W2292865721","https://openalex.org/W1486481742","https://openalex.org/W2106371080","https://openalex.org/W4399511371","https://openalex.org/W2997105294","https://openalex.org/W4321227771","https://openalex.org/W2809528855","https://openalex.org/W2504614904"],"abstract_inverted_index":{"Modern":[0],"code":[1,33,37,58,69,90,100,191],"generation":[2,101],"tools":[3,102],"utilizing":[4],"AI":[5,99],"models":[6],"like":[7,144],"Large":[8],"Language":[9],"Models":[10],"have":[11],"gained":[12],"increased":[13],"popularity":[14],"due":[15],"to":[16,19,185,206],"their":[17,24,177],"ability":[18],"produce":[20],"functional":[21],"code.":[22,226],"However,":[23],"usage":[25],"presents":[26],"security":[27,63,120,187,210,222],"challenges,":[28],"often":[29],"resulting":[30],"in":[31,71,189,224],"insecure":[32],"merging":[34],"into":[35],"the":[36,41,60,172,200,209,218],"base.":[38],"Thus,":[39],"evaluating":[40],"quality":[42],"of":[43,57,119,124,128,147,155,157,167,208],"generated":[44,92,225],"code,":[45],"especially":[46],"its":[47],"security,":[48],"is":[49],"crucial.":[50],"While":[51],"prior":[52],"research":[53],"explored":[54],"various":[55],"aspects":[56],"generation,":[59],"focus":[61],"on":[62],"has":[64],"been":[65],"limited,":[66],"mostly":[67],"examining":[68],"produced":[70],"controlled":[72],"environments":[73],"rather":[74],"than":[75],"open":[76],"source":[77],"development":[78],"scenarios.":[79],"To":[80],"address":[81],"this":[82],"gap,":[83],"we":[84],"conducted":[85],"an":[86],"empirical":[87],"study,":[88],"analyzing":[89],"snippets":[91,130],"by":[93,192],"GitHub":[94,108],"Copilot":[95,183,194],"and":[96,105,126,160,204],"two":[97],"other":[98],"(i.e.,":[103],"CodeWhisperer":[104],"Codeium)":[106],"from":[107,199],"projects.":[109],"Our":[110],"analysis":[111,202],"identified":[112],"733":[113],"snippets,":[114],"revealing":[115],"a":[116],"high":[117],"likelihood":[118],"weaknesses,":[121],"with":[122,196],"29.5%":[123],"Python":[125],"24.2%":[127],"JavaScript":[129],"affected.":[131],"These":[132],"issues":[133,188,211,223],"span":[134],"43":[135],"Common":[136],"Weakness":[137],"Enumeration":[138],"(CWE)":[139],"categories,":[140],"including":[141],"significant":[142],"ones":[143],"CWE-330:":[145],"Use":[146],"Insufficiently":[148],"Random":[149],"Values":[150],",":[151,159],"CWE-94:":[152],"Improper":[153],"Control":[154],"Generation":[156],"Code":[158],"CWE-79:":[161],"Cross-site":[162],"Scripting":[163],".":[164],"Notably,":[165],"eight":[166],"those":[168],"CWEs":[169],"are":[170],"among":[171],"2023":[173],"CWE":[174],"Top-25,":[175],"highlighting":[176],"severity.":[178],"We":[179,215],"further":[180],"examined":[181],"using":[182],"Chat":[184,195],"fix":[186],"Copilot-generated":[190],"providing":[193],"warning":[197],"messages":[198],"static":[201],"tools,":[203],"up":[205],"55.5%":[207],"can":[212],"be":[213],"fixed.":[214],"finally":[216],"provide":[217],"suggestions":[219],"for":[220],"mitigating":[221]},"counts_by_year":[{"year":2026,"cited_by_count":10},{"year":2025,"cited_by_count":16}],"updated_date":"2026-05-21T06:26:12.895304","created_date":"2025-10-10T00:00:00"}