The advent of Autonomous Driving Systems (ADS) has marked a significant shift towards intelligent transportation, with implications for public safety and traffic efficiency. While these systems integrate a variety of technologies and offer numerous benefits, their security is paramount, as vulnerabilities can have severe consequences for safety and trust. This study aims to systematically investigate potential security weaknesses in the codebases of prominent open-source ADS projects using CodeQL, a static code analysis tool. The goal is to identify common vulnerabilities, their distribution and persistence across versions to enhance the security of ADS. We selected three representative open-source ADS projects, Autoware, AirSim, and Apollo, based on their high GitHub star counts and Level 4 autonomous driving capabilities. Using CodeQL, we analyzed multiple versions of these projects to identify vulnerabilities, focusing on CWE categories such as CWE-190 (Integer Overflow or Wraparound) and CWE-20 (Improper Input Validation). We also tracked the lifecycle of these vulnerabilities across software versions. This approach allows us to systematically analyze vulnerabilities in projects, which has not been extensively explored in previous ADS research. Our analysis revealed that specific CWE categories, particularly CWE-190 (59.6%) and CWE-20 (16.1%), were prevalent across the selected ADS projects. These vulnerabilities often persisted for over six months, spanning multiple version iterations. The empirical assessment showed a direct link between the severity of these vulnerabilities and their tangible effects on ADS performance. These security issues among ADS still remain to be resolved. Our findings highlight the need for integrating static code analysis into ADS development to detect and mitigate common vulnerabilities.

翻译：自动驾驶系统（ADS）的出现标志着智能交通领域的重大变革，对公共安全和交通效率产生深远影响。尽管这些系统集成了多种技术并带来诸多优势，但其安全性至关重要，因为漏洞可能对安全和信任造成严重后果。本研究旨在使用静态代码分析工具CodeQL，系统性地调查主流开源ADS项目代码库中潜在的安全弱点，以识别常见漏洞、其分布情况及其跨版本的持续性，从而提升ADS的安全性。基于GitHub星标数和L4级自动驾驶能力，我们选取了三个具有代表性的开源ADS项目：Autoware、AirSim和Apollo。利用CodeQL，我们分析了这些项目的多个版本以识别漏洞，重点关注CWE-190（整数溢出或回绕）和CWE-20（不当输入验证）等CWE类别。我们还追踪了这些漏洞在软件版本间的生命周期。该方法使我们能够系统分析项目中的漏洞，这在以往的ADS研究中尚未得到广泛探索。我们的分析显示，特定CWE类别，尤其是CWE-190（59.6%）和CWE-20（16.1%），在所选ADS项目中普遍存在。这些漏洞通常持续存在超过六个月，跨越多个版本迭代。实证评估表明，这些漏洞的严重程度与其对ADS性能的实际影响存在直接关联。这些ADS中的安全问题仍有待解决。我们的研究结果强调了将静态代码分析集成到ADS开发中以检测和缓解常见漏洞的必要性。