SRC010 — https://arxiv.org/html/2605.07900v1¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://arxiv.org/html/2605.07900v1 |
| Authors | Academic researchers (arxiv preprint) |
| Date | 2026-05-08 |
Content Summary¶
Largest academic study of CodeQL on OSS codebases, analyzing 114 CodeQL versions across 3,993 CVEs from 1,622 repositories (20 billion+ lines of code). Found CodeQL identifies 171 CVEs, with 83 detectable before fix. Adoption rates between 10% and 30% across languages. CVE detections are not monotonic across versions.
Reliability: High¶
Academic preprint with massive dataset (20B+ lines analyzed) and rigorous methodology.
Relevance: High¶
Provides the most authoritative CodeQL adoption rates and effectiveness data available.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Low risk | Comprehensive dataset covering 1,622 repositories and 3,993 CVEs. |
| Measurement | Low risk | Systematic methodology analyzing 114 CodeQL versions longitudinally. |
| Selective Reporting | Low risk | Reports both positive findings (83 pre-fix detections) and negative (21 CVEs lost between versions). |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | Low risk | Academic research with no apparent commercial ties to GitHub or CodeQL. |