Security Vulnerabilities of Eclipse Application Programming Interfaces: An Empirical Analysis

Authors

DOI:

https://doi.org/10.21015/vtcs.v14i1.2196

Abstract

The Eclipse framework distinguishes between stable public APIs and less stable internal APIs; however, there is no formal assurance that these interfaces have been comprehensively evaluated for security vulnerabilities. Furthermore, previous studies revealed that many developers are unaware of most vulnerabilities. Applications that use security vulnerable APIs risk failing and are prone to malicious attacks if vulnerabilities are not fixed. Security vulnerability discovery is a difficult process and takes at least 3 years to discover and fix them. As a result, developers who depend on affected APIs are frequently compelled either to address these vulnerabilities independently or to discontinue their use. This study aims to identify interfaces within the Eclipse framework that are free from known security vulnerabilities and to recommend them for safer adoption by application developers. To achieve this objective, an empirical investigation was conducted using the SonarQube static analysis tool across 28 major Eclipse releases. The analysis focused on determining the presence and distribution of vulnerability-free interfaces. The study resulted in a dataset comprising approximately 222K public APIs and 292K internal APIs that were found to be free of detected security issues. The findings reveal that, on average, about 91.4% of public APIs and 85.3% of internal APIs across the analyzed releases do not exhibit security vulnerabilities. Furthermore, the average time required to remediate identified vulnerabilities was estimated at 1,425 days. These results offer valuable guidance for both API providers and users by identifying more reliable interfaces and providing an indication of the effort required to resolve security issues. Additionally, the dataset of vulnerability-free interfaces has been made publicly accessible via GitHub to support the development of more secure software systems.

References

J. Businge, S. Kawuma, M. Openja, E. Bainomugisha, and A. Serebrenik, “How stable are eclipse application framework internal interfaces?” in 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 2019, pp. 117–127.

S. Kawuma, J. Businge, and E. Bainomugisha, “Can we find stable alternatives for unstable eclipse interfaces?” in 2016 IEEE 24th International Conference on Program Comprehension (ICPC). IEEE, 2016, pp. 1–10.

J. des Rivières, “How to use the Eclipse API,” http://www.eclipse.org/articles/article.php?file=Article-API-Use/index.html, accessed Jan. 2020.

Oracle, “Why developers should not write programs that call ‘sun’ packages,” https://www.oracle.com/technetwork/java/faq-sun-packages-142232.html, accessed Oct. 2020.

jBPM Team, “The jBPM API,” http://docs.jboss.org/jbpm/v5.0/userguide/ch05.html#d0e2099, accessed Oct. 2020.

S. Bechtold, S. Brannen, J. Link, M. Merdes, M. Philipp, and C. Stein, “JUnit 5 user guide,” https://junit.org/junit5/docs/current/user-guide/#api-evolution, accessed Oct. 2020.

Eclipse Foundation, “Evolving Java-based APIs,” https://wiki.eclipse.org/Provisional_API_Guidelines, accessed Jul. 2020.

J. Businge, A. Serebrenik, and M. G. van den Brand, “Eclipse API usage: The good and the bad,” Software Quality Journal, vol. 23, no. 1, pp. 107–141, 2015.

J. Businge, A. Serebrenik, and M. G. van den Brand, “Eclipse API usage: The good and the bad,” in Proc. SQM, 2012, pp. 54–62.

A. Hora, M. T. Valente, R. Robbes, and N. Anquetil, “When should internal interfaces be promoted to public?” in Proc. 24th ACM SIGSOFT Int. Symp. on Foundations of Software Engineering (FSE). ACM, 2016, pp. 278–289.

J. Businge, A. Serebrenik, and M. G. van den Brand, “Analyzing the Eclipse API usage: Putting the developer in the loop,” in 17th European Conf. on Software Maintenance and Reengineering (CSMR), 2013, pp. 37–46.

R. G. Kula, D. M. German, A. Ouni, T. Ishio, and K. Inoue, “Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration,” Empirical Software Engineering, vol. 23, no. 1, pp. 384–417, 2018.

P. Wang, S. Liu, A. Liu, and W. Jiang, “Detecting security vulnerabilities with vulnerability nets,” Journal of Systems and Software, vol. 208, p. 111902, 2024.

M. Alfadel, D. E. Costa, and E. Shihab, “Empirical analysis of security vulnerabilities in Python packages,” Empirical Software Engineering, vol. 28, no. 3, p. 59, 2023.

A. Campbell, “Metric definitions – SonarQube documentation,” https://docs.sonarqube.org/display/SONAR/Metric+Definitions, accessed Jul. 2021.

J. des Rivières, “Evolving Java-based APIs,” http://wiki.eclipse.org/Evolving_Java-based_APIs, accessed Jan. 2020.

P. Paul, A. Bhuimali, P. Aithal, and R. Rajesh, “Vulnerability in information technology and computing—a study in technological information assurance,” International Journal of Management, Technology, and Social Sciences, vol. 4, no. 2, pp. 87–94, 2019.

V. Lenarduzzi, A. Sillitti, and D. Taibi, “A survey on code analysis tools for software maintenance prediction,” in Proc. ICSE Defence Applications, Springer, 2018, pp. 165–175.

C. Vassallo, S. Panichella, F. Palomba, S. Proksch, H. C. Gall, and A. Zaidman, “How developers engage with static analysis tools in different contexts,” Empirical Software Engineering, vol. 25, no. 2, pp. 1419–1457, 2020.

V. Lenarduzzi, F. Lomio, H. Huttunen, and D. Taibi, “Are SonarQube rules inducing bugs?” in IEEE SANER, 2020, pp. 501–511.

J. Businge, A. Serebrenik, and M. G. van den Brand, “Survival of Eclipse third-party plug-ins,” in ICSM, 2012, pp. 368–377.

J. Businge, A. Serebrenik, and M. G. van den Brand, “An empirical study of the evolution of Eclipse third-party plug-ins,” in EVOL/IWPSE, 2010, pp. 63–72.

J. Businge, A. Serebrenik, and M. G. van den Brand, “Compatibility prediction of Eclipse third-party plug-ins in new Eclipse releases,” in IEEE SCAM, 2012, pp. 164–173.

S. Kawuma and E. Nabaasa, “Identification of promoted Eclipse unstable interfaces using clone detection technique,” International Journal of Software Engineering and Application, 2018.

S. Kawuma, D. S. Bamutura, A. Obbo, V. Mabirizi, M. Kabarungi, and E. Nabaasa, “Eclipse application programming interfaces: How buggy are they?” VFAST Transactions on Software Engineering, vol. 13, no. 2, pp. 228–244, 2025.

W. Ali, S. Lakho, N. N. Bhatti, I. A. Memon et al., “Adaptive bug localization framework for precision-driven bug localization in software engineering,” VFAST Transactions on Software Engineering, vol. 12, no. 3, pp. 230–242, 2024.

S. Kawuma et al., “Investigation of code smells in Eclipse framework using SonarQube: An empirical analysis,” International Journal of Software Engineering and Computer Systems, vol. 11, no. 2, pp. 176–187, 2025.

H. Arif, A. K. S. Ali, and H. A. Nabi, “IoT security through ML/DL: Software engineering challenges and directions,” ICCK Journal of Software Engineering, vol. 1, no. 2, pp. 90–108, 2025.

I. Rakine et al., “Comprehensive review of intrusion detection techniques: ML and DL in different networks,” IEEE Access, 2025.

R. Batool et al., “Automated categorization of software security requirements: An NLP and ML-based approach,” Requirements Engineering, 2025.

N. Shiri Harzevili et al., “A systematic literature review on automated software vulnerability detection using machine learning,” ACM Computing Surveys, vol. 57, no. 3, pp. 1–36, 2024.

N. S. Harzevili et al., “Characterizing and understanding software security vulnerabilities in machine learning libraries,” in IEEE/ACM MSR, 2023, pp. 27–38.

J. Zhang, “SecureCodeBERT: An AI-powered model for identifying and categorizing high-risk security vulnerabilities in PHP-based applications,” Journal of Sustainability, Policy, and Practice, vol. 1, no. 4, pp. 80–94, 2025.

S. M. Taghavi Far and F. Feyzi, “Large language models for software vulnerability detection,” International Journal of Information Security, vol. 24, no. 2, p. 78, 2025.

Eclipse Foundation, “Eclipse project archived download,” http://archive.eclipse.org/eclipse/downloads/index.php, accessed Jan. 2020.

Eclipse Project, “Eclipse IDE for Java developers,” https://www.eclipse.org/downloads/packages/release/2020-03/r, accessed Jul. 2020.

D. Marcilio et al., “Are static analysis violations really fixed? A closer look at realistic usage of SonarQube,” in IEEE ICPC, 2019, pp. 209–219.

L. Lavazza, D. Tosi, and S. Morasca, “An empirical study on the persistence of SpotBugs issues in open-source software evolution,” in QICT, Springer, 2020, pp. 144–151.

L. N. Q. Do, J. R. Wright, and K. Ali, “Why do software developers use static analysis tools?” IEEE Transactions on Software Engineering, vol. 48, no. 3, pp. 835–847, 2020.

H. Mohayeji et al., “Securing dependencies: A comprehensive study of Dependabot’s impact,” Empirical Software Engineering, vol. 30, no. 3, p. 89, 2025.

J. Gao et al., “Understanding the evolution of Android app vulnerabilities,” IEEE Transactions on Reliability, vol. 70, no. 1, pp. 212–230, 2019.

R. Kikas et al., “Structure and evolution of package dependency networks,” in MSR, 2017, pp. 102–112.

M. Zimmermann et al., “Small world with high risks: A study of security threats in the npm ecosystem,” in USENIX Security, 2019, pp. 995–1011.

W. Guo et al., “An empirical study of malicious code in PyPI ecosystem,” in ASE, 2023, pp. 166–177.

M. F. Rabbi et al., “Understanding software vulnerabilities in the Maven ecosystem,” in MSR, 2025, pp. 290–294.

K. Jezek, J. Dietrich, and P. Brada, “How Java APIs break: An empirical study,” Information and Software Technology, vol. 65, pp. 129–146, 2015.

A. Lercher et al., “Microservice API evolution in practice: A study on strategies and challenges,” Journal of Systems and Software, vol. 215, p. 112110, 2024.

Downloads

Published

2026-04-19

How to Cite

Kawuma, S., Bamutura, D. S., Obbo, A., Kabarungi, M., Dickson, K., & Mabirizi, V. (2026). Security Vulnerabilities of Eclipse Application Programming Interfaces: An Empirical Analysis. VAWKUM Transactions on Computer Sciences, 14(1), 96–109. https://doi.org/10.21015/vtcs.v14i1.2196

Issue

Vol. 14 No. 1 (2026): January-June

Section

Articles

License

Authors who publish with this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (CC-By) that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

                                      

This work is licensed under a Creative Commons Attribution  License CC BY