Exploring the Relationship Between Architecture Coupling and Software Vulnerabilities: A Google Chrome Case

by Robert Lagerström, Carliss Y. Baldwin, Alan MacCormack, Dan Sturtevant, and Lee Doolan

Overview — Managing software vulnerabilities is a top issue in today’s society. By studying the Google Chrome codebase, the authors explore software metrics including architecture coupling measures in relation to software vulnerabilities. This paper adds new findings to research on software metrics and vulnerabilities, bringing the field closer to generalizable and conclusive results.

Author Abstract

Employing software metrics, such as size and complexity, for predicting defects has been given a lot of attention over the years and has proven very useful. However, the few studies looking at software architecture and vulnerabilities are limited in scope and findings. We explore the relationship between software vulnerabilities and component metrics (like code churn and cyclomatic complexity) as well as architecture coupling metrics (direct, indirect, and cyclic coupling). Our case is based on the Google Chromium project, an open-source project that has not yet been studied for this topic. Our findings show a strong relationship between vulnerabilities and both component level metrics and architecture coupling metrics. Unfortunately, the effects of different types of coupling are somewhat hard to distinguish.