I am currently a Specially Appointed Assistant Professor in Software Engineering Laboratory under the supervision of Professor Kenichi Matsumoto, Nara Institute of Science and Technology (NAIST). My research interests include empirical software engineering and mining software repositories. In detail, my research is focusing on the security vulnerabilities in software ecosystems, how developers react to vulnerabilities in their software projects. The ultimate goal of my research is to mitigate the risk of security vulnerabilities in software ecosystems.
Interests: Software Quality, Software Ecosystem, Mining Software Repositories, Security Vulnerability, Social Network Data Mining
Contact: <firstname>.ch{at}is.naist.jp
News
Dec 10, 2022
Releasing a new website Migrating information from an old one
Selected publications
SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages
Bodin Chinthanet, Raula Gaikovina Kula, Rodrigo Eliza Zapata, and 3 more authors
IEICE Transactions on Information and Systems Jan 2022
It has become common practice for software projects to adopt third-party dependencies. Developers are encouraged to update any outdated dependency to remain safe from potential threats of vulnerabilities. In this study, we present an approach to aid developers show whether or not a vulnerable code is reachable for JavaScript projects. Our prototype, SōjiTantei, is evaluated in two ways (i) the accuracy when compared to a manual approach and (ii) a larger-scale analysis of 780 clients from 78 security vulnerability cases. The first evaluation shows that SōjiTantei has a high accuracy of 83.3%, with a speed of less than a second analysis per client. The second evaluation reveals that 68 out of the studied 78 vulnerabilities reported having at least one clean client. The study proves that automation is promising with the potential for further improvement.
Lags in the Release, Adoption, and Propagation of Npm Vulnerability Fixes
Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, and 3 more authors
Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package-side fixing releasetypeSpatch). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate propagation lags in an ecosystem.
Code-Based Vulnerability Detection in Node.Js Applications: How Far Are We?
Bodin Chinthanet, Serena Elisa Ponta, Henrik Plate, and 4 more authors
In IEEE/ACM International Conference on Automated Software Engineering (ASE) Dec 2020
With one of the largest available collection of reusable packages, the JavaScript runtime environment Node.js is one of the most popular programming application. With recent work showing evidence that known vulnerabilities are prevalent in both open source and industrial software, we propose and implement a viable code-based vulnerability detection tool for Node.js applications. Our case study lists the challenges encountered while implementing our Node.js vulnerable code detector.
Towards Smoother Library Migrations: A Look at Vulnerable Dependency Migrations at Function Level for npm JavaScript Packages
Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, and 3 more authors
In IEEE International Conference on Software Maintenance and Evolution (ICSME) Sep 2018
It has become common practice for software projects to adopt third-party libraries, allowing developers full access to functions that otherwise will take time and effort to create them-selves. Regardless of migration effort involved, developers are encouraged to maintain their library dependencies by updating any outdated dependency, so as to remain safe from potential threats such as vulnerabilities. Through a manual inspection of a total of 60 client projects from three cases of high severity vulnerabilities, we investigate whether or not clients are really safe from these threats. Surprisingly, our early results show evidence that up to 73.3% of outdated clients were actually safe from the threat. This is the first work to confirm that analysis at the library level is indeed an overestimation. This result to pave the path for future studies to empirically investigate and validate this phenomena, and is towards aiding a smoother library migration for client developers.