Further Investigation of the Survivability of Code Technical Debt Items

💡 Research Summary

This paper investigates the survivability of code Technical Debt Items (TDIs)—specifically bugs, code smells, and vulnerabilities—by analysing a large empirical dataset comprising two industrial systems and 31 Apache open‑source projects. Using SonarQube’s static analysis results, the authors tracked 133,670 TDIs across 193,196 commits (35,703 from the industrial systems) and applied survival‑analysis techniques (Kaplan‑Meier curves and log‑rank tests) to compare how long each type of TDI remains in the codebase.

The industrial case studies differ in size and age: Industrial 1 is a >1 MLOC system with a ten‑year history, yielding 33,974 TDIs from 9,331 commits; Industrial 2 is a 60 KLOC system with a four‑year history, yielding 1,398 TDIs from 8,414 commits. The open‑source sample includes 31 Java projects hosted on GitHub, for which SonarQube data were collected via its public API.

Key findings are: (1) Bugs have the shortest median survival—about 2–3 months—indicating that developers prioritize fixing functional errors that can break the system. (2) Code smells survive longer, with a median of 7–9 months, while vulnerabilities persist even longer (8–12 months). (3) A stark contrast emerges between environments: in open‑source projects, more than 80 % of TDIs survive beyond one year, and many vulnerabilities remain for over 1.5 years; in the industrial systems, over 60 % of TDIs are resolved within six months. (4) TDIs that survive an initial “threshold” period (e.g., six months) are significantly more likely to persist indefinitely, confirming earlier observations that long‑lived debt tends to become entrenched.

The authors attribute the faster debt repayment in industry to systematic integration of SonarQube into CI/CD pipelines, explicit debt‑management policies, and organizational incentives that treat TDIs as quantitative quality metrics. In contrast, open‑source contributors act voluntarily; security issues and severe bugs receive attention, but less severe smells and vulnerabilities often lack a coordinated remediation effort. The paper also discusses the influence of SonarQube rule configuration: overly strict rule sets can generate false positives, inflating the apparent debt and potentially discouraging timely fixes.

Compared with prior work—most notably Tufano et al. (2019) on code‑smell introduction and Digkas et al. (2020) on debt repayment—the current study expands the scope to include bugs and vulnerabilities and conducts the analysis at the commit level rather than weekly snapshots, providing finer granularity.

Implications for practice include: (a) industrial teams should continue leveraging automated static analysis and treat TDI metrics as part of sprint planning to keep debt short‑lived; (b) open‑source projects could benefit from adopting similar automated pipelines and establishing clear guidelines for handling non‑critical smells and security findings; (c) researchers should further explore the relationship between TDI severity, developer perception, and actual remediation effort.

Threats to validity are acknowledged: reliance on SonarQube’s detection accuracy, potential incompleteness of commit metadata, and the limited number of industrial cases restrict external generalisation. Future work is proposed to incorporate additional analysis tools, broaden the industrial sample, and model causal links between debt repayment and downstream product quality metrics.

In summary, the study demonstrates that the survivability of code TDIs varies markedly by type and development context. Bugs are quickly eliminated, whereas code smells and especially vulnerabilities can linger for extended periods, especially in open‑source ecosystems. Systematic debt‑management practices in industry effectively reduce TDI lifetimes, suggesting that similar disciplined approaches could improve maintainability and security in broader software development settings.