Programmers often copy code from one program to another. Unfortunately when patches to buggy code are not propagated to all code clones, this leaves one or more programs still vulnerable. To study how widespread the problem of unpatched code clone truly is and to provide a tool that can help developers fight against it, we developed ReDeBug, a system to quickly find unpatched code clones in code bases at the scale of entire OS distributions.
Using ReDeBug, we examined over 2.1 billion lines of code from all packages in Debian Lenny/Squeeze, Ubuntu Maverick/Oneiric, all C and C++ projects in SourceForge, and also the Linux kernel. ReDeBug identified 15,546 unpatched copies of known vulnerable code, and sample unpatched code clones identified in our datasets are available: