{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,17]],"date-time":"2026-01-17T20:05:33Z","timestamp":1768680333347,"version":"3.49.0"},"reference-count":49,"publisher":"Springer Science and Business Media LLC","issue":"6","license":[{"start":{"date-parts":[[2021,9,22]],"date-time":"2021-09-22T00:00:00Z","timestamp":1632268800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2021,9,22]],"date-time":"2021-09-22T00:00:00Z","timestamp":1632268800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2021,11]]},"DOI":"10.1007\/s10664-021-10019-z","type":"journal-article","created":{"date-parts":[[2021,9,22]],"date-time":"2021-09-22T11:04:10Z","timestamp":1632308650000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":6,"title":["Fixing vulnerabilities potentially hinders maintainability"],"prefix":"10.1007","volume":"26","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5690-2279","authenticated-orcid":false,"given":"Sofia","family":"Reis","sequence":"first","affiliation":[]},{"given":"Rui","family":"Abreu","sequence":"additional","affiliation":[]},{"given":"Luis","family":"Cruz","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,9,22]]},"reference":[{"key":"10019_CR1","doi-asserted-by":"publisher","unstructured":"Acar Y, Stransky C, Wermke D, Weir C, Mazurek ML, Fahl S (2017) Developers need support, too: A survey of security advice for software developers. In: 2017 IEEE cybersecurity development (SecDev), pp 22\u201326. https:\/\/doi.org\/10.1109\/SecDev.2017.17","DOI":"10.1109\/SecDev.2017.17"},{"key":"10019_CR2","doi-asserted-by":"publisher","unstructured":"Alves TL, Correia JP, Visser J (2011) Benchmark-based aggregation of metrics to ratings. In: 2011 Joint conference of the 21st international workshop on software measurement and the 6th international conference on software process and product measurement, pp 20\u201329. https:\/\/doi.org\/10.1109\/IWSM-MENSURA.2011.15","DOI":"10.1109\/IWSM-MENSURA.2011.15"},{"key":"10019_CR3","doi-asserted-by":"publisher","unstructured":"Alves TL, Ypma C, Visser J (2010) Deriving metric thresholds from benchmark data. In: 2010 IEEE international conference on software maintenance, pp 1\u201310. https:\/\/doi.org\/10.1109\/ICSM.2010.5609747","DOI":"10.1109\/ICSM.2010.5609747"},{"issue":"2","key":"10019_CR4","doi-asserted-by":"publisher","first-page":"287","DOI":"10.1007\/s11219-011-9144-9","volume":"20","author":"R Baggen","year":"2012","unstructured":"Baggen R, Correia JP, Schill K, Visser J (2012) Standardized code quality benchmarking for improving software maintainability. Softw Qual J 20 (2):287\u2013307. https:\/\/doi.org\/10.1007\/s11219-011-9144-9","journal-title":"Softw Qual J"},{"key":"10019_CR5","doi-asserted-by":"crossref","unstructured":"Berger ED, Hollenbeck C, Maj P, Vitek O, Vitek J (2019) On the impact of programming languages on code quality. arXiv:1901.10220","DOI":"10.1145\/3340571"},{"issue":"2","key":"10019_CR6","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1007\/s11219-011-9140-0","volume":"20","author":"D Bijlsma","year":"2012","unstructured":"Bijlsma D, Ferreira MA, Luijten B, Visser J (2012) Faster issue resolution with higher technical quality of software. Softw Qual J. 20(2):265\u2013285. https:\/\/doi.org\/10.1007\/s11219-011-9140-0","journal-title":"Softw Qual J."},{"key":"10019_CR7","doi-asserted-by":"publisher","unstructured":"Chowdhury I, Zulkernine M (2010) Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?. In: Proceedings of the 2010 ACM symposium on applied computing, SAC \u201910. pp 1963\u20131969, Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/1774088.1774504","DOI":"10.1145\/1774088.1774504"},{"key":"10019_CR8","unstructured":"Common Criteria Working Group (2009) Common methodology for information technology security evaluation. Tech. rep., Technical report, Common Criteria Interpretation Management Board"},{"key":"10019_CR9","doi-asserted-by":"crossref","unstructured":"Cruz L, Abreu R, Grundy J, Li L, Xia X (2019) Do energy-oriented changes hinder maintainability?. In: 2019 IEEE International conference on software maintenance and evolution (ICSME), pp 29\u201340","DOI":"10.1109\/ICSME.2019.00013"},{"key":"10019_CR10","doi-asserted-by":"crossref","unstructured":"di Biase M, Rastogi A, Bruntink M, van Deursen A (2019) The delta maintainability model: Measuring maintainability of fine-grained code changes. In: 2019 IEEE\/ACM international conference on technical debt (TechDebt), pp 113\u2013122","DOI":"10.1109\/TechDebt.2019.00030"},{"key":"10019_CR11","doi-asserted-by":"crossref","unstructured":"Elkhail AA, Cerny T (2019) On relating code smells to security vulnerabilities. In: 2019 IEEE 5th intl conference on big data security on cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE intl conference on intelligent data and security (IDS), pp 7\u201312","DOI":"10.1109\/BigDataSecurity-HPSC-IDS.2019.00013"},{"key":"10019_CR12","unstructured":"Foundation TO (2017) Owasp top 10 - 2017, The ten most critical web application security risks. Tech. rep., The OWASP Foundation. Release Candidate"},{"key":"10019_CR13","unstructured":"Foundation TO (2017) Owasp top 10 - 2017, The ten most critical web application security risks. Tech. rep., The OWASP Foundation. Release Candidate"},{"key":"10019_CR14","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1016\/j.infsof.2017.11.012","volume":"95","author":"P Hegedu\u030bs","year":"2018","unstructured":"Hegedu\u030bs P, K\u00e1d\u00e1r I, Ferenc R, Gyim\u00f3thy T (2018) Empirical evaluation of software maintainability based on a manually validated refactoring dataset. Inf Softw Technol 95:313\u2013327. https:\/\/doi.org\/10.1016\/j.infsof.2017.11.012","journal-title":"Inf Softw Technol"},{"key":"10019_CR15","doi-asserted-by":"crossref","unstructured":"Hegedu\u030bs P, B\u00e1n D, Ferenc R, Gyim\u00f3thy T (2012) Myth or reality? analyzing the effect of design patterns on software maintainability. In: Computer applications for software engineering, disaster recovery, and business continuity. Springer, Berlin, pp 138\u2013145","DOI":"10.1007\/978-3-642-35267-6_18"},{"key":"10019_CR16","doi-asserted-by":"publisher","unstructured":"Heitlager I, Kuipers T, Visser J (2007) A practical model for measuring maintainability. In: 6th International conference on the quality of information and communications technology (QUATIC 2007), pp 30\u201339. https:\/\/doi.org\/10.1109\/QUATIC.2007.8","DOI":"10.1109\/QUATIC.2007.8"},{"key":"10019_CR17","unstructured":"International Organization for Standardization (2011) International standard ISO\/IEC 25010 systems and software engineering - systems and software quality requirements and evaluation (SQuaRE) - system and software quality models"},{"key":"10019_CR18","doi-asserted-by":"crossref","unstructured":"Islam MR, Zibran MF (2016) A comparative study on vulnerabilities in categories of clones and non-cloned code. In: 2016 IEEE 23rd international conference on software analysis, evolution, and reengineering (SANER), vol 3, pp 8\u201314","DOI":"10.1109\/SANER.2016.90"},{"key":"10019_CR19","doi-asserted-by":"crossref","unstructured":"Just R, Jalali D, Inozemtseva L, Ernst MD, Holmes R, Fraser G (2014) Are mutants a valid substitute for real faults in software testing?. In: Proceedings of the 22nd ACM SIGSOFT international symposium on foundations of software engineering. ACM, pp 654\u2013665","DOI":"10.1145\/2635868.2635929"},{"key":"10019_CR20","doi-asserted-by":"publisher","unstructured":"Kataoka Y, Imai T, Andou H, Fukaya T (2002) A quantitative evaluation of maintainability enhancement by refactoring. In: International conference on software maintenance, 2002. Proceedings., pp 576\u2013585. https:\/\/doi.org\/10.1109\/ICSM.2002.1167822","DOI":"10.1109\/ICSM.2002.1167822"},{"key":"10019_CR21","doi-asserted-by":"publisher","unstructured":"Khomh F, Gueheneuce Y (2008) Do design patterns impact software quality positively?. In: 2008 12th European conference on software maintenance and reengineering, pp 274\u2013278. https:\/\/doi.org\/10.1109\/CSMR.2008.4493325","DOI":"10.1109\/CSMR.2008.4493325"},{"key":"10019_CR22","doi-asserted-by":"crossref","unstructured":"Kurilova D, Potanin A, Aldrich J (2014) Wyvern: Impacting software security via programming language design. In: Proceedings of the 5th workshop on evaluation and usability of programming languages and tools, pp 57\u201358","DOI":"10.1145\/2688204.2688216"},{"key":"10019_CR23","doi-asserted-by":"publisher","unstructured":"Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, CCS \u201917, pp 2201\u20132215, Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3133956.3134072","DOI":"10.1145\/3133956.3134072"},{"key":"10019_CR24","doi-asserted-by":"publisher","unstructured":"Malavolta I, Verdecchia R, Filipovic B, Bruntink M, Lago P (2018) How maintainability issues of android apps evolve. In: 2018 IEEE international conference on software maintenance and evolution (ICSME), pp 334\u2013344. https:\/\/doi.org\/10.1109\/ICSME.2018.00042","DOI":"10.1109\/ICSME.2018.00042"},{"key":"10019_CR25","doi-asserted-by":"publisher","unstructured":"Maruyama K, Tokoda K (2008) Security-aware refactoring alerting its impact on code vulnerabilities. In: 2008 15th Asia-pacific software engineering conference, pp 445\u2013452. https:\/\/doi.org\/10.1109\/APSEC.2008.57","DOI":"10.1109\/APSEC.2008.57"},{"issue":"4","key":"10019_CR26","doi-asserted-by":"publisher","first-page":"308","DOI":"10.1109\/TSE.1976.233837","volume":"SE-2","author":"TJ McCabe","year":"1976","unstructured":"McCabe TJ (1976) A complexity measure. IEEE Trans Softw Eng SE-2(4):308\u2013320. https:\/\/doi.org\/10.1109\/TSE.1976.233837","journal-title":"IEEE Trans Softw Eng"},{"issue":"2","key":"10019_CR27","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1109\/MSECP.2004.1281254","volume":"2","author":"G McGraw","year":"2004","unstructured":"McGraw G (2004) Software security. IEEE Secur Priv 2(2):80\u201383","journal-title":"IEEE Secur Priv"},{"key":"10019_CR28","doi-asserted-by":"publisher","unstructured":"McGraw KO, Wong SP (1992) A common language effect size statistic psychological bulletin. https:\/\/doi.org\/10.1037\/0033-2909.111.2.361","DOI":"10.1037\/0033-2909.111.2.361"},{"key":"10019_CR29","doi-asserted-by":"publisher","unstructured":"Nistor L, Kurilova D, Balzer S, Chung B, Potanin A, Aldrich J (2013) Wyvern: A simple, typed, and pure object-oriented language. In: Proceedings of the 5th Workshop on MechAnisms for SPEcialization, Generalization and InHerItance, MASPEGHI \u201913, pp 9\u201316, Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/2489828.2489830","DOI":"10.1145\/2489828.2489830"},{"key":"10019_CR30","unstructured":"Olivari M (2018) Maintainable production: A model of developer productivity based on source code contributions. Master\u2019s thesis University of Amsterdam"},{"issue":"3","key":"10019_CR31","doi-asserted-by":"publisher","first-page":"1188","DOI":"10.1007\/s10664-017-9535-z","volume":"23","author":"F Palomba","year":"2018","unstructured":"Palomba F, Bavota G, Penta MD, Fasano F, Oliveto R, Lucia AD (2018) On the diffuseness and the impact on maintainability of code smells: A large scale empirical investigation. Empirical Softw Engg 23(3):1188\u20131221. https:\/\/doi.org\/10.1007\/s10664-017-9535-z","journal-title":"Empirical Softw Engg"},{"key":"10019_CR32","doi-asserted-by":"publisher","unstructured":"Ponta SE, Plate H, Sabetta A, Bezzi M, Dangremont C (2019) A manually-curated dataset of fixes to vulnerabilities of open-source software. In: Proceedings of the 16th international conference on mining software repositories, MSR \u201919. IEEE Press, p 383\u2013387. https:\/\/doi.org\/10.1109\/MSR.2019.00064","DOI":"10.1109\/MSR.2019.00064"},{"key":"10019_CR33","doi-asserted-by":"publisher","unstructured":"Pothamsetty V (2005) Where security education is lacking. In: Proceedings of the 2Nd annual conference on information security curriculum development, InfoSecCD \u201905, pp 54\u201358, ACM, New York, NY, USA. https:\/\/doi.org\/10.1145\/1107622.1107635","DOI":"10.1145\/1107622.1107635"},{"issue":"287","key":"10019_CR34","doi-asserted-by":"publisher","first-page":"655","DOI":"10.1080\/01621459.1959.10501526","volume":"54","author":"JW Pratt","year":"1959","unstructured":"Pratt JW (1959) Remarks on zeros and ties in the wilcoxon signed rank procedures. J Am Stat Assoc 54(287):655\u2013667","journal-title":"J Am Stat Assoc"},{"issue":"10","key":"10019_CR35","doi-asserted-by":"publisher","first-page":"91","DOI":"10.1145\/3126905","volume":"60","author":"B Ray","year":"2017","unstructured":"Ray B, Posnett D, Devanbu P, Filkov V (2017) A large-scale study of programming languages and code quality in github. Commun ACM 60 (10):91\u2013100. https:\/\/doi.org\/10.1145\/3126905","journal-title":"Commun ACM"},{"key":"10019_CR36","doi-asserted-by":"publisher","unstructured":"Ray B, Posnett D, Filkov V, Devanbu P (2014) A large scale study of programming languages and code quality in Github. In: Proceedings of the 22Nd ACM SIGSOFT international symposium on foundations of software engineering, FSE 2014, 155\u2013165, ACM, New York, NY, USA. https:\/\/doi.org\/10.1145\/2635868.2635922","DOI":"10.1145\/2635868.2635922"},{"key":"10019_CR37","doi-asserted-by":"publisher","unstructured":"Reis S, Abreu R (2017) A database of existing vulnerabilities to enable controlled testing studies. Int J Secur Softw Eng (IJSSE) 8(3). https:\/\/doi.org\/10.4018\/IJSSE.2017070101","DOI":"10.4018\/IJSSE.2017070101"},{"key":"10019_CR38","unstructured":"Reis S, Abreu R (2017) Secbench: A database of real security vulnerabilities. In: Proceedings of the international workshop on secure software engineering in devops and agile development (SecSE 2017)"},{"key":"10019_CR39","volume-title":"Beyond fear: Thinking sensibly about security in an uncertain world","author":"B Schneier","year":"2006","unstructured":"Schneier B (2006) Beyond fear: Thinking sensibly about security in an uncertain world. Berlin, Springer Science & Business Media"},{"issue":"6","key":"10019_CR40","doi-asserted-by":"publisher","first-page":"772","DOI":"10.1109\/TSE.2010.81","volume":"37","author":"Y Shin","year":"2010","unstructured":"Shin Y, Meneely A, Williams L, Osborne JA (2010) Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans Softw Eng 37(6):772\u2013787","journal-title":"IEEE Trans Softw Eng"},{"issue":"8","key":"10019_CR41","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1145\/280324.280335","volume":"41","author":"SA Slaughter","year":"1998","unstructured":"Slaughter SA, Harter DE, Krishnan MS (1998) Evaluating the cost of software quality. Commun ACM 41(8):67\u201373","journal-title":"Commun ACM"},{"issue":"8","key":"10019_CR42","doi-asserted-by":"publisher","first-page":"544","DOI":"10.1109\/TSE.2007.70712","volume":"33","author":"R Telang","year":"2007","unstructured":"Telang R, Wattal S (2007) An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans Softw Eng 33(8):544\u2013557","journal-title":"IEEE Trans Softw Eng"},{"key":"10019_CR43","unstructured":"The OWASP Foundation (2009) OWASP application security verification standard 2009 - web application standard. Tech rep"},{"key":"10019_CR44","unstructured":"Visser J (2016) Building maintainable software, java edition: Ten guidelines for future-proof code. O\u2019Reilly Media, Inc"},{"key":"10019_CR45","unstructured":"Visser J (2020) Sig\/tUvit evaluation criteria trusted product maintainability: Guidance for producers. Available: https:\/\/bit.ly\/3hnY0Am"},{"issue":"6","key":"10019_CR46","doi-asserted-by":"publisher","first-page":"80","DOI":"10.2307\/3001968","volume":"1","author":"F Wilcoxon","year":"1945","unstructured":"Wilcoxon F (1945) Individual comparisons by ranking methods. Biometrics Bulletin 1(6):80\u201383","journal-title":"Biometrics Bulletin"},{"key":"10019_CR47","doi-asserted-by":"publisher","unstructured":"Xu H, Heijmans J, Visser J (2013) A practical model for rating software security. In: 2013 IEEE seventh international conference on software security and reliability companion, pp 231\u2013232. https:\/\/doi.org\/10.1109\/SERE-C.2013.11","DOI":"10.1109\/SERE-C.2013.11"},{"key":"10019_CR48","doi-asserted-by":"publisher","unstructured":"Zazworka N, Shaw MA, Shull F, Seaman C (2011) Investigating the impact of design debt on software quality. In: Proceedings of the 2nd workshop on managing technical debt, MTD \u201911, pp 17\u201323, Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/1985362.1985366","DOI":"10.1145\/1985362.1985366"},{"key":"10019_CR49","doi-asserted-by":"crossref","unstructured":"Zibran MF, Saha RK, Asaduzzaman M, Roy CK (2011) Analyzing and forecasting near-miss clones in evolving software: An empirical study. In: 2011 16th IEEE international conference on engineering of complex computer systems, pp 295\u2013304","DOI":"10.1109\/ICECCS.2011.36"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-021-10019-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-021-10019-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-021-10019-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,10,28]],"date-time":"2021-10-28T04:21:56Z","timestamp":1635394916000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-021-10019-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,9,22]]},"references-count":49,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2021,11]]}},"alternative-id":["10019"],"URL":"https:\/\/doi.org\/10.1007\/s10664-021-10019-z","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,9,22]]},"assertion":[{"value":"19 May 2021","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 September 2021","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}],"article-number":"127"}}