Abstract Identifying security issues early is encouraged to reduce the latent negative impacts on software systems. Code review a widely-used method that allows developers manually inspect modified code, catching during development cycle. However, existing code studies often focus known vulnerabilities, neglecting coding weaknesses, which can introduce real-world are more visible through review. The practices of reviews in identifying such weaknesses not yet fully investigated. To better understand this, we conducted an empirical case study two large open-source projects, OpenSSL and PHP. Based 135,560 comments, found reviewers raised concerns 35 out 40 weakness categories. Surprisingly, some related past as memory errors resource management, were discussed less than vulnerabilities. Developers attempted address many cases (39%-41%), but substantial portion was merely acknowledged (30%-36%), went unfixed due disagreements about solutions (18%-20%). This highlights slip even when identified. Our findings suggest identify various leading reviews. these results also reveal shortcomings current practices, indicating need for effective mechanisms or support increasing awareness issue management

Load

Load