Skip to main content

lines of code per known vulnerability in #curl, 1998 - 2023. I purposely leave out the last year simply because it is a little too new code there to be fair - and that makes the graph really spike.

Note also that this treats all vulns equal, no matter which severity

#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
the median age a CVE has existed in code when reported in #curl is 7.7 years!
#curl
in reply to daniel:// stenberg://

robinm
robinm
Does this means that we should ignore the right part of the graph (2015 and newer), and wait to see if the quality did effectively increase so much in recent years?
in reply to robinm

daniel:// stenberg://
daniel:// stenberg://
@robinm it certainly might imply that we will get vulnerabilities reported for that period in the coming years, yes. I guess we will be able to tell in the future...
@robinm
in reply to Howard Chu @ Symas

daniel:// stenberg://
daniel:// stenberg://
@hyc Not bad: The number of vulns per kloc at 1.77 in 1998 and crawls down to 0.112 in late 2022. Still linear yaxis.
@Howard Chu @ Symas

daniel:// stenberg:// reshared this.