Closed andymeneely closed 9 years ago
@frauagrippa is also working on this
As we discussed in the meeting, feel free to elaborate on this metric idea and try out a few things. We'll have to narrow it down for a paper but let's explore the idea.
How are we doing on this? Anything worth pushing?
Looking at this article as it seems quite related: Who is going to Mentor Newcomers in Open Source Projects? link: http://dl.acm.org/citation.cfm?id=2393647 pdf link: https://dibt.unimol.it/tools/YODA/resources/fse2012.pdf
Yep, I know that paper. Saw it presented in Szeged, Hungary two years ago :) They will be in our related work. They approached it a lot differently, but it's got a lot of the same ideas.
That's pretty cool ;o I haven't read it yet; would it be worth the read or not / beneficial to read?
This was done last week, but I need to integrate it into the nightly build.
Currently, we have a field called
security_experienced
for participants. The field is a boolean for whether or not the person has, at the time of this code review, participated on the FIX of a vulnerability. Presumably, this means that this person would learn about thinking about security and start using that mindset in THIS code review. In our study, we found that files with more security experienced participants over time are less likely to have vulnerabilities in the future.But what about knowledge transfer effects? For the participants in each code review, maybe they learned about security from someone else they've worked with who is security experienced. Let's measure that effect with this field.
Being "security adjacent" means that, at some point in the past, this participant has co-participated with another developer who was security-experienced at the time. We should count those security adjacencies and store them here. We can then add that up over time and do "security_adjacencies_per_review". Let's make it a distinct number of developers so two people working together doesn't keep stacking up.
For example:
To complete this, we need:
participants
security_adjacencies_per_review
field inrelease_filepaths