An Empirical Study of Commits in Pillow

Abstract

Pillow is the Python Imaging Library that adds image processing capabilities to the Python interpreter. It provides extensive file format support, an efficient internal representation, and fairly powerful image processing capabilities. In the past decades, there has been an increasing tendency for vulnerabilities reported to NVD, but not all of the vulnerabilities have been reported and patched in time. In order to fill the gap, we collect 14944 commits from Pillow repositories and conduct a thorough empirical study of the commits in Pillow, distinguishing security commits from non-security and bugfix commits. Leveraging the diverse set of information from commit message and code difference, we conduct an analysis of various aspects of the patch development life cycle, including an investigation into the duration, and the timeliness of patch development. We then characterize the nature of security fixes in comparison to other non-security bug fixes, exploring the complexity of different types of patches and their impact on Pillow. Furthermore, we carried out investigations on patches over various language pairs, gaining insights into the principles of cross-language combinations through semantic and syntactic perspectives. Our research provides some insights into identifying security commits in time and calls for more attention to ensuring timely fixes for vulnerabilities.