I am currently a Specially Appointed Assistant Professor in Software Engineering Laboratory under the supervision of Professor Kenichi Matsumoto, Nara Institute of Science and Technology (NAIST). My research interests include empirical software engineering and mining software repositories. In detail, my research is focusing on the security vulnerabilities in software ecosystems, how developers react to vulnerabilities in their software projects. The ultimate goal of my research is to mitigate the risk of security vulnerabilities in software ecosystems.
Interests: Software Quality, Software Ecosystem, Mining Software Repositories, Security Vulnerability, Social Network Data Mining
Dec 10, 2022
Releasing a new website Migrating information from an old one
SōjiTantei: Function-Call Reachability Detection of Vulnerable Code for npm Packages
Bodin Chinthanet, Raula Gaikovina Kula, Rodrigo Eliza Zapata, and 3 more authors
IEICE Transactions on Information and Systems Jan 2022
Lags in the Release, Adoption, and Propagation of Npm Vulnerability Fixes
Bodin Chinthanet, Raula Gaikovina Kula, Shane McIntosh, and 3 more authors
Security vulnerability in third-party dependencies is a growing concern not only for developers of the affected software, but for the risks it poses to an entire software ecosystem, e.g., Heartbleed vulnerability. Recent studies show that developers are slow to respond to the threat of vulnerability, sometimes taking four to eleven months to act. To ensure quick adoption and propagation of a release that contains the fix (fixing release), we conduct an empirical investigation to identify lags that may occur between the vulnerable release and its fixing release (package-side fixing release). Through a preliminary study of 231 package-side fixing release of npm projects on GitHub, we observe that a fixing release is rarely released on its own, with up to 85.72% of the bundled commits being unrelated to a fix. We then compare the package-side fixing release with changes on a client-side (client-side fixing release). Through an empirical study of the adoption and propagation tendencies of 1,290 package-side fixing releases that impact throughout a network of 1,553,325 releases of npm packages, we find that stale clients require additional migration effort, even if the package-side fixing release was quick (i.e., package-side fixing releasetypeSpatch). Furthermore, we show the influence of factors such as the branch that the package-side fixing release lands on and the severity of vulnerability on its propagation. In addition to these lags we identify and characterize, this paper lays the groundwork for future research on how to mitigate propagation lags in an ecosystem.
Code-Based Vulnerability Detection in Node.Js Applications: How Far Are We?
Bodin Chinthanet, Serena Elisa Ponta, Henrik Plate, and 4 more authors
In IEEE/ACM International Conference on Automated Software Engineering (ASE) Dec 2020
Rodrigo Elizalde Zapata, Raula Gaikovina Kula, Bodin Chinthanet, and 3 more authors
In IEEE International Conference on Software Maintenance and Evolution (ICSME) Sep 2018
It has become common practice for software projects to adopt third-party libraries, allowing developers full access to functions that otherwise will take time and effort to create them-selves. Regardless of migration effort involved, developers are encouraged to maintain their library dependencies by updating any outdated dependency, so as to remain safe from potential threats such as vulnerabilities. Through a manual inspection of a total of 60 client projects from three cases of high severity vulnerabilities, we investigate whether or not clients are really safe from these threats. Surprisingly, our early results show evidence that up to 73.3% of outdated clients were actually safe from the threat. This is the first work to confirm that analysis at the library level is indeed an overestimation. This result to pave the path for future studies to empirically investigate and validate this phenomena, and is towards aiding a smoother library migration for client developers.