ARAÚJO, J. J. S.; http://lattes.cnpq.br/6632300771785126; ARAÚJO, Jerônimo Jairo Silva de.
Résumé:
Security vulnerabilities in computer systems are often complex problems to deal with, and even with
improvements in the development process they tend to persist. The lack of interest in removing these
vulnerabilities during development can become a setback in the future (technical debt), result in
improper access, expose user data, and revert in financial costs to the company. Thus, it is necessary
that concerns with the identification and removal of these vulnerabilities exist during the entire
software development process. In this work, static analysis tools (Check Marx, Black Duck and Jfrog
Xray) will be used to analyze the evolution, distribution by risk class and lifetime of security
vulnerabilities in a project developed by a large company in partnership with the Distributed Systems
Lab. The project in question consists of a service that offers management for observability resources.
From the results it was found that vulnerabilities affecting open-source components found by the
Black Duck and Jfrog Xray tools were being addressed. However, security vulnerabilities affecting
project code points found in the Check Marx tool were not being addressed.