Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows

Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows Overview This replication package contains all the material required to replicate the analyses we made for our paper entitled Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows, which has been accepted for publication at the MSR 2024 (the 21st International Conference on Mining Software Repositories). The materials provided here will guide you through the process of replicating our research findings. This research is supported by the Fonds de la Recherche Scientifique - FNRS under grant numbers T.0149.22, F.4515.23, and J.0147.24. Requirements Before you proceed with replicating our analysis, ensure that you have the following prerequisites installed on your system: Python 3.8 or higher Dependencies listed in the requirements.txt file Getting Started To begin replicating our analysis, follow these steps: Clone this repository to your local machine: Navigate to the cloned directory: Set up a Jupyter Lab environment to execute the provided notebooks. Install the required dependencies using the requirements.txt file: pip install -r requirements.txt Data Replication The data-raw folder contains all the data required to replicate the analysis. These data were obtained by running various notebooks. Here is a list of the notebooks and their resulting CSV files: Extract Actions - actions.csv Extract Releases - releases.csv Extract Actions Type - types.csv Check Manifests and Extract Dependencies - lock_dependencies.csv Check Vulnerabilities - vulnerabilities.csv Extract JS Entry Points and CodeQL Results - codeql_results_raw.csv, codeql_queries.csv Extract Dependents - dependents.csv Research Questions and Analysis The data folder contains all the data required to replicate the paper-story notebook and the research questions. The research and analysis presented in the paper are based on two final datasets created from the data-raw files as follows: Vulnerabilities in Dependency Network of Actions - actions_dependencies_vulnerabilities.parquet Security Weaknesses in JavaScript Code of Actions - actions_code_vulnerabilities.parque