How do Library Maintainers Refactor to Secure Software? A Study of Maven Releases

Third-party library dependencies have become prominent in to-day’s software development; however, the threat of security vul-nerabilities in dependencies is a growing concern. In addition toadding new features, fixing bugs, and evolving code, a librarymaintainer needs to consider the security of their libraries whenevolving their code. Maruyama[31]proposed secure refactoringto secure code; however, it is unknown the extent to which se-cure refactoring is practiced in the wild. To fill this gap, in thislarge empirical study, we want to understand the role in whichrefactoring plays in securing code from known vulnerabilities.Results of our preliminary study of 351 vulnerabilities that de-tected 7,853 refactorings confirmed the presence of secure refac-toring, causing us to expand the definition of secure refactoringinto secure-release refactoring. Conducting a mixed-method em-pirical study, we show that secure-release refactoring is usuallyreleased in the major and pre-release versions, while the most fre-quent secure-release refactoring beingAdd Method Annotation,Change Variable Type,Rename Variable Type,Rename MethodandChange Parameter Type. For our qualitative investigation of512 samples, we confirm that secure-release refactoring securityfixes are not involved in complex tasks but for singular tasks. In-terestingly, we reveal several relationships between the type ofmaintenance task and secure-release refactoring. Our findings are astep towards understanding how refactoring is used to secure code,opening up avenues for future work that contribute to promotingsecure dependencies