{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T04:43:00Z","timestamp":1769920980780,"version":"3.49.0"},"reference-count":48,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,6]],"date-time":"2026-01-06T00:00:00Z","timestamp":1767657600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"},{"start":{"date-parts":[[2026,1,6]],"date-time":"2026-01-06T00:00:00Z","timestamp":1767657600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0"}],"funder":[{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]},{"name":"European Union's Digital Europe Programme","award":["101128070"],"award-info":[{"award-number":["101128070"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2026,2]]},"DOI":"10.1007\/s10207-025-01187-w","type":"journal-article","created":{"date-parts":[[2026,1,6]],"date-time":"2026-01-06T13:44:14Z","timestamp":1767707054000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A large scale analysis of code security in public repositories"],"prefix":"10.1007","volume":"25","author":[{"given":"Ciprian","family":"Opri\u015fa","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dominic Octavian","family":"Grigoru\u0163","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haralambos","family":"Mouratidis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eftychia","family":"Lakka","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ourania","family":"Manta","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Angelos","family":"Mavrias","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Marinos","family":"Tsantekidis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nikolas","family":"Filippatos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"George","family":"Daniil","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ionel-Alexandru","family":"Gal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Drago\u015f","family":"Gavrilu\u0163","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Christos","family":"Kargatzis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sotiris","family":"Ioannidis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,1,6]]},"reference":[{"key":"1187_CR1","unstructured":"Abraham, A.: libsast. https:\/\/github.com\/ajinabraham\/libsast. Accessed: 2025-07-30"},{"key":"1187_CR2","unstructured":"Abraham, A.: njscan. https:\/\/github.com\/ajinabraham\/njsscan. Accessed: 2025-07-30"},{"key":"1187_CR3","doi-asserted-by":"publisher","DOI":"10.5281\/zenodo.13622978","author":"A Bodipudi","year":"2022","unstructured":"Bodipudi, A.: Integrating vulnerability scanning with continuous integration\/continuous deployment (ci\/cd) pipelines. European Journal of Advances in Engineering and Technology (2022). https:\/\/doi.org\/10.5281\/zenodo.13622978","journal-title":"European Journal of Advances in Engineering and Technology"},{"key":"1187_CR4","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103639","volume":"137","author":"V Casola","year":"2024","unstructured":"Casola, V., De Benedictis, A., Mazzocca, C., Orbinato, V.: Secure software development and testing: A model-based methodology. Computers & Security 137, 103639 (2024). https:\/\/doi.org\/10.1016\/j.cose.2023.103639. (https:\/\/www.sciencedirect.com\/science\/article\/pii\/S0167404823005497)","journal-title":"Computers & Security"},{"key":"1187_CR5","doi-asserted-by":"crossref","unstructured":"Chalishhafshejani, S., Pham, B.K., Jaatun, M.G.: Automating security in a continuous integration pipeline. In: IoTBDS, pp. 231\u2013238 (2022)","DOI":"10.5220\/0011083500003194"},{"key":"1187_CR6","doi-asserted-by":"crossref","unstructured":"Cosentino, V., Luis, J., Cabot, J.: Findings from github: methods, datasets and limitations. In: Proceedings of the 13th International Conference on Mining Software Repositories, pp. 137\u2013141 (2016)","DOI":"10.1145\/2901739.2901776"},{"key":"1187_CR7","doi-asserted-by":"crossref","unstructured":"Dalia, G., Visaggio, C.A., Di\u00a0Sorbo, A., Canfora, G.: Sbom ouverture: What we need and what we have. In: Proceedings of the 19th International Conference on Availability, Reliability and Security, pp. 1\u20139 (2024)","DOI":"10.1145\/3664476.3669975"},{"key":"1187_CR8","doi-asserted-by":"crossref","unstructured":"Dennis, K., Dehaan, B., Momeni, P., Laverghetta, G., Ligatti, J.: Large-scale analysis of github and cves to determine prevalence of sql concatenations. In: International Conference on Security and Cryptography (SECRYPT) (2024)","DOI":"10.5220\/0012835200003767"},{"key":"1187_CR9","doi-asserted-by":"crossref","unstructured":"D\u2019Onofrio, D.S., Fusco, M.L., Zhong, H.: Ci\/cd pipeline and devsecops integration for security and load testing. Tech. rep., Sandia National Lab.(SNL-NM), Albuquerque, NM (United States) (2023)","DOI":"10.2172\/2430395"},{"key":"1187_CR10","unstructured":"Dunham, A.: Rats \u2013 rough auditing tool for security. https:\/\/github.com\/andrew-d\/rough-auditing-tool-for-security. Accessed: 2025-07-30"},{"key":"1187_CR11","doi-asserted-by":"crossref","unstructured":"Feist, J., Grieco, G., Groce, A.: Slither: a static analysis framework for smart contracts. In: 2019 IEEE\/ACM 2nd International Workshop on Emerging Trends in Software Engineering for Blockchain (WETSEB), pp. 8\u201315. IEEE (2019)","DOI":"10.1109\/WETSEB.2019.00008"},{"key":"1187_CR12","doi-asserted-by":"crossref","unstructured":"Fischer, F., H\u00f6benreich, J., Grossklags, J.: The effectiveness of security interventions on github. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp. 2426\u20132440 (2023)","DOI":"10.1145\/3576915.3623174"},{"key":"1187_CR13","doi-asserted-by":"crossref","unstructured":"Grieco, G., Song, W., Cygan, A., Feist, J., Groce, A.: Echidna: effective, usable, and fast fuzzing for smart contracts. In: Proceedings of the 29th ACM SIGSOFT international symposium on software testing and analysis, pp. 557\u2013560 (2020)","DOI":"10.1145\/3395363.3404366"},{"key":"1187_CR14","unstructured":"Groenendaal, J., Helsloot, I., Reuter, C.: Towards more insight into cyber incident response decision making and its implications for cyber crisis management. In: 19th International Conference on Information Systems for Crisis Response and Management. ISCRAM (2022)"},{"key":"1187_CR15","doi-asserted-by":"publisher","unstructured":"G\u00f3rski, T.: Adapt: A reusable package for implementing smart contracts that process transactions of congruous types. Software Impacts 21, 100694 (2024). https:\/\/doi.org\/10.1016\/j.simpa.2024.100694. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S2665963824000824","DOI":"10.1016\/j.simpa.2024.100694"},{"key":"1187_CR16","doi-asserted-by":"crossref","unstructured":"Hajdu, \u00c1., Jovanovi\u0107, D.: solc-verify: A modular verifier for solidity smart contracts. In: Working conference on verified software: theories, tools, and experiments, pp. 161\u2013179. Springer (2019)","DOI":"10.1007\/978-3-030-41600-3_11"},{"key":"1187_CR17","unstructured":"clj holmes: clj-holmes. https:\/\/github.com\/clj-holmes\/clj-holmes. Accessed: 2025-06-15"},{"key":"1187_CR18","unstructured":"clj holmes: shape-shifter. https:\/\/github.com\/clj-holmes\/shape-shifter. Accessed: 2025-07-30"},{"issue":"4","key":"1187_CR19","doi-asserted-by":"publisher","first-page":"3171","DOI":"10.1007\/s13369-019-04319-2","volume":"45","author":"M Humayun","year":"2020","unstructured":"Humayun, M., Niazi, M., Jhanjhi, N.Z., Alshayeb, M., Mahmood, S.: Cyber security threats and vulnerabilities: a systematic mapping study. Arab. J. Sci. Eng. 45(4), 3171\u20133189 (2020)","journal-title":"Arab. J. Sci. Eng."},{"key":"1187_CR20","doi-asserted-by":"crossref","unstructured":"Iosif, A.C., Gasiba, T.E., Zhao, T., Lechner, U., Pinto-Albuquerque, M.: A large-scale study on the security vulnerabilities of cloud deployments. In: Inernational Conference on Ubiquitous Security, pp. 171\u2013188. Springer (2021)","DOI":"10.1007\/978-981-19-0468-4_13"},{"key":"1187_CR21","doi-asserted-by":"crossref","unstructured":"Iqbal, Y., Sindhu, M.A., Arif, M.H., Javed, M.A.: Enhancement in buffer overflow (bof) detection capability of cppcheck static analysis tool. In: 2021 International Conference on Cyber Warfare and Security (ICCWS), pp. 112\u2013117. IEEE (2021)","DOI":"10.1109\/ICCWS53234.2021.9703043"},{"key":"1187_CR22","unstructured":"Koishybayev, I., Nahapetyan, A., Zachariah, R., Muralee, S., Reaves, B., Kapravelos, A., Machiry, A.: Characterizing the security of github $$\\{CI\\}$$ workflows. In: 31st USENIX Security Symposium (USENIX Security 22), pp. 2747\u20132763 (2022)"},{"key":"1187_CR23","doi-asserted-by":"publisher","unstructured":"Koneru, N.: Integrating security into ci\/cd pipelines: A devsecops approach with sast, dast, and sca tools. International Journal of Science and Research Archive 3, 250\u2013265 (2021). https:\/\/doi.org\/10.30574\/ijsra.2021.3.1.0080","DOI":"10.30574\/ijsra.2021.3.1.0080"},{"key":"1187_CR24","doi-asserted-by":"crossref","unstructured":"Lehto, M.: Cyber-attacks against critical infrastructure. In: Cyber security: Critical infrastructure protection, pp. 3\u201342. Springer (2022)","DOI":"10.1007\/978-3-030-91293-2_1"},{"key":"1187_CR25","doi-asserted-by":"crossref","unstructured":"Li, F., Paxson, V.: A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2201\u20132215 (2017)","DOI":"10.1145\/3133956.3134072"},{"key":"1187_CR26","unstructured":"Marjam\u00e4ki, D.: Cppcheck \u2013 a tool for static c\/c++ code analysis. https:\/\/cppcheck.sourceforge.io\/. Accessed: 2025-06-15"},{"issue":"2","key":"1187_CR27","doi-asserted-by":"publisher","first-page":"9","DOI":"10.1145\/3375408.3375410","volume":"38","author":"B Martin","year":"2019","unstructured":"Martin, B.: Common vulnerabilities enumeration (cve), common weakness enumeration (cwe), and common quality enumeration (cqe) attempting to systematically catalog the safety and security challenges for modern, networked, software-intensive systems. ACM SIGAda Ada Letters 38(2), 9\u201342 (2019)","journal-title":"ACM SIGAda Ada Letters"},{"key":"1187_CR28","doi-asserted-by":"crossref","unstructured":"Meli, M., McNiece, M.R., Reaves, B.: How bad can it git? characterizing secret leakage in public github repositories. In: NDSS (2019)","DOI":"10.14722\/ndss.2019.23418"},{"key":"1187_CR29","unstructured":"MITRE: Cwe-327: Use of a broken or risky cryptographic algorithm. https:\/\/cwe.mitre.org\/data\/definitions\/327.html. Accessed: 2025-06-20"},{"key":"1187_CR30","doi-asserted-by":"crossref","unstructured":"Mossberg, M., Manzano, F., Hennenfent, E., Groce, A., Grieco, G., Feist, J., Brunson, T., Dinaburg, A.: Manticore: A user-friendly symbolic execution framework for binaries and smart contracts. In: 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE), pp. 1186\u20131189. IEEE (2019)","DOI":"10.1109\/ASE.2019.00133"},{"key":"1187_CR31","unstructured":"Perego, P.: Dawnscanner \u2013 the raising security scanner for ruby web applications. https:\/\/github.com\/thesp0nge\/dawnscanner\/. Accessed: 2025-07-30"},{"key":"1187_CR32","doi-asserted-by":"crossref","unstructured":"Pereira, J.D., Vieira, M.: On the use of open-source c\/c++ static analysis tools in large projects. In: 2020 16th European Dependable Computing Conference (EDCC), pp. 97\u2013102. IEEE (2020)","DOI":"10.1109\/EDCC51268.2020.00025"},{"key":"1187_CR33","unstructured":"PyCQA: Welcome to bandit. https:\/\/bandit.readthedocs.io\/en\/latest\/index.html. Accessed: 2025-06-15"},{"key":"1187_CR34","unstructured":"dehvCurtis: vulnerable-code-examples. https:\/\/github.com\/dehvCurtis\/vulnerable-code-examples. Accessed: 2025-07-30"},{"key":"1187_CR35","unstructured":"Design security: progpilot \u2013 a static application security testing (sast) for php. https:\/\/github.com\/designsecurity\/progpilot. Accessed: 2025-07-30"},{"key":"1187_CR36","unstructured":"Insider Application Security Team: Insider. https:\/\/github.com\/insidersec\/insider. Accessed: 2025-07-30"},{"key":"1187_CR37","unstructured":"NCC Group Plc: Sobelow. https:\/\/github.com\/nccgroup\/sobelow. Accessed: 2025-07-30"},{"key":"1187_CR38","unstructured":"OWASP Foundation: Owasp top ten. https:\/\/owasp.org\/www-project-top-ten\/. Accessed: 2025-07-30"},{"key":"1187_CR39","unstructured":"Semgrep: Semgrep \u2013 code scanning at ludicrous speed. https:\/\/github.com\/semgrep\/semgrep. Accessed: 2025-07-30"},{"issue":"75","key":"1187_CR40","first-page":"51003","volume":"13","author":"N Sharma","year":"2022","unstructured":"Sharma, N., Sharma, S., et al.: A survey of mythril, a smart contract security analysis tool for evm bytecode. Indian Journal of Natural Sciences 13(75), 51003\u201351010 (2022)","journal-title":"Indian Journal of Natural Sciences"},{"key":"1187_CR41","unstructured":"Sun, W., Fang, C., Miao, Y., You, Y., Yuan, M., Chen, Y., Zhang, Q., Guo, A., Chen, X., Liu, Y., et\u00a0al.: Abstract syntax tree for programming language understanding and representation: How far are we? arXiv preprint arXiv:2312.00413 (2023)"},{"key":"1187_CR42","doi-asserted-by":"publisher","unstructured":"Sun, Y., Wu, D., Xue, Y., Liu, H., Wang, H., Xu, Z., Xie, X., Liu, Y.: GPTScan: Detecting logic vulnerabilities in smart contracts by combining gpt with program analysis. In: Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering, ICSE \u201924. Association for Computing Machinery, New York, NY, USA (2024). https:\/\/doi.org\/10.1145\/3597503.3639117","DOI":"10.1145\/3597503.3639117"},{"key":"1187_CR43","doi-asserted-by":"crossref","unstructured":"Thompson, C., Wagner, D.: A large-scale study of modern code review and security in open source projects. In: Proceedings of the 13th International Conference on Predictive Models and Data Analytics in Software Engineering, pp. 83\u201392 (2017)","DOI":"10.1145\/3127005.3127014"},{"key":"1187_CR44","doi-asserted-by":"crossref","unstructured":"Tolaram, N.: Gosec and ast. In: Software Development with Go: Cloud-Native Programming using Golang with Linux and Docker, pp. 111\u2013130. Springer (2022)","DOI":"10.1007\/978-1-4842-8731-6_7"},{"key":"1187_CR45","doi-asserted-by":"publisher","unstructured":"Wadhams, Z.D., Izurieta, C., Reinhold, A.M.: Barriers to using static application security testing (sast) tools: A literature review. In: Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering Workshops, ASEW \u201924, p. 161\u2013166. Association for Computing Machinery, New York, NY, USA (2024). https:\/\/doi.org\/10.1145\/3691621.3694947","DOI":"10.1145\/3691621.3694947"},{"key":"1187_CR46","doi-asserted-by":"crossref","unstructured":"Wadhams, Z.D., Izurieta, C., Reinhold, A.M.: Barriers to using static application security testing (sast) tools: A literature review. In: Proceedings of the 39th IEEE\/ACM International Conference on Automated Software Engineering Workshops, pp. 161\u2013166 (2024)","DOI":"10.1145\/3691621.3694947"},{"key":"1187_CR47","unstructured":"Wheeler, D.: Flawfinder. https:\/\/dwheeler.com\/flawfinder\/. Accessed: 2025-07-30"},{"key":"1187_CR48","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104181","volume":"148","author":"S Woo","year":"2025","unstructured":"Woo, S., Choi, E., Lee, H.: A large-scale analysis of the effectiveness of publicly reported security patches. Computers & Security 148, 104181 (2025)","journal-title":"Computers & Security"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01187-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01187-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01187-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T16:08:31Z","timestamp":1769875711000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01187-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,6]]},"references-count":48,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,2]]}},"alternative-id":["1187"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01187-w","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,6]]},"assertion":[{"value":"30 October 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 December 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"24"}}