{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T06:02:40Z","timestamp":1763445760616,"version":"3.40.3"},"publisher-location":"Cham","reference-count":18,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031727801"},{"type":"electronic","value":"9783031727818"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,1,11]],"date-time":"2025-01-11T00:00:00Z","timestamp":1736553600000},"content-version":"vor","delay-in-days":10,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Developers use different means to document the security concerns of their code. Because of all of these opportunities, they may forget where the information is stored, or others may not be aware of it, and leave it unmaintained for so long that it becomes obsolete, if not useless. In this work, we analyzed different sources of code documentation from four large-scale, real-world, open-source projects in an industrial setting to understand where developers report their security concerns. In particular, we manually inspected 2.559 instances taken from source code comments, commit messages, and issue trackers. Overall, we found that developers prefer to document security concerns in source code comments and issue trackers. We also found that the longer the comments stay unfixed, the more likely they remain unfixed. Thus, to create awareness among developers, we implemented a pipeline to remind them about the introduction or removal of comments pointing to a security problem.<\/jats:p>","DOI":"10.1007\/978-3-031-72781-8_21","type":"book-chapter","created":{"date-parts":[[2025,1,10]],"date-time":"2025-01-10T18:06:14Z","timestamp":1736532374000},"page":"189-195","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Where Do Developers Admit their Security-Related Concerns?"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-3156-6211","authenticated-orcid":false,"given":"Moritz","family":"Mock","sequence":"first","affiliation":[]},{"given":"Thomas","family":"Forrer","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3737-9264","authenticated-orcid":false,"given":"Barbara","family":"Russo","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,1,11]]},"reference":[{"key":"21_CR1","doi-asserted-by":"publisher","unstructured":"Bavota, G., Russo, B.: A large-scale empirical study on self-admitted technical debt. In: Proceedings of the 13th International Conference on Mining Software Repositories, MSR 2016, pp. 315\u2013326. Association for Computing Machinery, New York, NY, USA (2016). https:\/\/doi.org\/10.1145\/2901739.2901742","DOI":"10.1145\/2901739.2901742"},{"key":"21_CR2","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-10054-w","volume":"27","author":"R Croft","year":"2022","unstructured":"Croft, R., Xie, Y., Zahedi, M., Babar, M.A., Treude, C.: An empirical study of developers\u2019 discussions about security challenges of different programming languages. Empir. Softw. Eng. 27, 1\u201352 (2022)","journal-title":"Empir. Softw. Eng."},{"issue":"2","key":"21_CR3","doi-asserted-by":"publisher","first-page":"29","DOI":"10.1145\/157710.157715","volume":"4","author":"W Cunningham","year":"1992","unstructured":"Cunningham, W.: The wycash portfolio management system. ACM Sigplan Oops Messenger 4(2), 29\u201330 (1992)","journal-title":"ACM Sigplan Oops Messenger"},{"key":"21_CR4","first-page":"1","volume":"7","author":"J Dem\u0161ar","year":"2006","unstructured":"Dem\u0161ar, J.: Statistical comparisons of classifiers over multiple data sets. J. Mach. Learn. Res. 7, 1\u201330 (2006)","journal-title":"J. Mach. Learn. Res."},{"key":"21_CR5","doi-asserted-by":"publisher","unstructured":"Ferreyra, N.E.D., Shahin, M., Zahedi, M., Quadri, S., Scandariato, R.: What can self-admitted technical debt tell us about security? a mixed-methods study (2024). https:\/\/doi.org\/10.48550\/arXiv.2401.12768","DOI":"10.48550\/arXiv.2401.12768"},{"key":"21_CR6","doi-asserted-by":"publisher","unstructured":"Kr\u00fcger, J., Hebig, R.: To memorize or to document: a survey of developers\u2019 views on knowledge availability. In: Kadgien, R., Jedlitschka, A., Janes, A., Lenarduzzi, V., Li, X. (eds.) Product-Focused Software Process Improvement, pp. 39\u201356. Springer, Cham (2024). https:\/\/doi.org\/10.1007\/978-3-031-49266-2_3","DOI":"10.1007\/978-3-031-49266-2_3"},{"issue":"3","key":"21_CR7","doi-asserted-by":"publisher","first-page":"65","DOI":"10.1007\/s10664-023-10297-9","volume":"28","author":"Y Li","year":"2023","unstructured":"Li, Y., Soliman, M., Avgeriou, P.: Automatic identification of self-admitted technical debt from four different sources. Empir. Softw. Eng. 28(3), 65 (2023). https:\/\/doi.org\/10.1007\/s10664-023-10297-9","journal-title":"Empir. Softw. Eng."},{"key":"21_CR8","doi-asserted-by":"crossref","unstructured":"Mock, M., Melegati, J., Kretschman, M., D\u00edaz\u00a0Ferreyra, N.E., Russo, B.: MADE-WIC: Multiple annotated datasets for exploring weaknesses in code. In: work in progress (2024)","DOI":"10.1145\/3691620.3695348"},{"key":"21_CR9","doi-asserted-by":"publisher","unstructured":"Russo, B., Camilli, M., Mock, M.: WeakSATD: detecting weak self-admitted technical debt. In: Proceedings of the 19th International Conference on Mining Software Repositories, MSR 2022, pp. 448-453. Association for Computing Machinery, New York, NY, USA (2022). https:\/\/doi.org\/10.1145\/3524842.3528469","DOI":"10.1145\/3524842.3528469"},{"key":"21_CR10","doi-asserted-by":"publisher","unstructured":"Spadini, D., Aniche, M., Bacchelli, A.: PyDriller: Python framework for mining software repositories. In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC\/FSE 2018, pp. 908-911. Association for Computing Machinery, New York, NY, USA (2018). https:\/\/doi.org\/10.1145\/3236024.3264598","DOI":"10.1145\/3236024.3264598"},{"issue":"6","key":"21_CR11","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-10031-3","volume":"26","author":"F Zampetti","year":"2021","unstructured":"Zampetti, F., Fucci, G., Serebrenik, A., Di Penta, M.: Self-admitted technical debt practices: a comparison between industry and open-source. Empir. Softw. Eng. 26(6), 1\u201332 (2021). https:\/\/doi.org\/10.1007\/s10664-021-10031-3","journal-title":"Empir. Softw. Eng."},{"key":"21_CR12","unstructured":"SemGrep. http:\/\/semgrep.dev, Accessed May 2024"},{"key":"21_CR13","unstructured":"SonarQube. https:\/\/www.sonarsource.com\/, Accessed May 2024"},{"key":"21_CR14","unstructured":"Invicti. https:\/\/www.invicti.com, Accessed May 2024"},{"key":"21_CR15","unstructured":"GLPI. https:\/\/github.com\/glpi-project\/glpi, Accessed May 2024"},{"key":"21_CR16","unstructured":"icingaweb2. https:\/\/github.com\/Icinga\/icingaweb2, Accessed May 2024"},{"key":"21_CR17","unstructured":"Github documentation. https:\/\/docs.github.com\/en\/rest\/issues\/issues, Accessed May 2024"},{"key":"21_CR18","unstructured":"Jire python package. https:\/\/pypi.org\/project\/jira\/, Aaccessed May 2024"}],"container-title":["Lecture Notes in Business Information Processing","Agile Processes in Software Engineering and Extreme Programming \u2013 Workshops"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-72781-8_21","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,1,10]],"date-time":"2025-01-10T19:03:32Z","timestamp":1736535812000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-72781-8_21"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783031727801","9783031727818"],"references-count":18,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-72781-8_21","relation":{},"ISSN":["1865-1348","1865-1356"],"issn-type":[{"type":"print","value":"1865-1348"},{"type":"electronic","value":"1865-1356"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"11 January 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"XP","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Agile Software Development","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Bozen-Bolzano","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Italy","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4 June 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"7 June 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"25","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"xpu2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.agilealliance.org\/xp2024\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}