Abstract—New contributors are critical to open source
projects. Without them, the project will eventually atrophy and
become inactive, or its experienced contributors will bias the
future directions the project takes. However, new contributors
can also bring a greater risk of introducing vulnerable code.
For projects that have a need for both secure implementations
and a strong, diverse contributor community, this conflict is a
pressing issue. One avenue being pursued that could facilitate
this goal is rewriting components of C or C++ code in Rust—
a language designed to apply to the same domains as C and
C++, but with greater safety guarantees. Seeking to answer
whether Rust can help keep new contributors from introducing
vulnerabilities, and therefore ease the burden on maintainers, we
examine the Oxidation project from Mozilla, which has replaced
components of the Firefox web browser with equivalents written
in Rust. We use the available data from these projects to derive
parameters for a novel application of learning curves, which
we use to estimate the proportion of commits that introduce
vulnerabilities from new contributors in a manner that is directly
comparable. We find that despite concerns about ease of use,
first-time contributors to Rust projects are about 70 times less
likely to introduce vulnerabilities than first-time contributors to
C++ projects. We also found that the rate of new contributors
increased overall after switching to Rust, implying that this
decrease in vulnerabilities from new contributors does not result
from a smaller pool of more skilled developers, and that Rust
can in fact facilitate new contributors. In the process, we also
qualitatively analyze the Rust vulnerabilities in these projects,
and measure the efficacy of the common SZZ algorithm for
identifying bug-inducing commits from their fixes.
Onboard the C/C++ project to any C++ static code analysis tool and check back with me later.
This is a nothingburger.