Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

Ruyan Lin,Yulong Fu,Wei Yi,Jincheng Yang,Jin Cao,Zhiqiang Dong,Fei Xie,Hui Li

DOI: https://doi.org/10.1145/3694782

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Over the past decade, Open Source Software (OSS) has experienced rapid growth and widespread adoption, attributed to its openness and editability. However, this expansion has also brought significant security challenges, particularly introducing and propagating software vulnerabilities. Despite the use of machine learning and formal methods to tackle these issues, there remains a notable gap in comprehensive surveys that summarize and analyze both Vulnerability Detection (VD) and Security Patch Detection (SPD) in OSS. This article seeks to bridge this gap through an extensive survey that evaluates 127 technical studies published between 2014 and 2023, structured around the Vulnerability-Patch lifecycle. We begin by delineating the six critical events that constitute the Vulnerability-Patch lifecycle, leading to an in-depth exploration of the Vulnerability-Patch ecosystem. We then systematically review the databases commonly used in VD and SPD, and analyze their characteristics. Subsequently, we examine existing VD methods, focusing on traditional and deep learning based approaches. Additionally, we organize current security patch identification methods by kernel type and discuss techniques for detecting the presence of security patches. Based on our comprehensive review, we identify open research questions and propose future research directions that merit further exploration.

computer science, theory & methods

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3663529.3663835

2024-01-01

Abstract:Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) poses huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing pro-cess) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.

Lingfeng Bao,Xin Xia,Ahmed E. Hassan,Xiaohu Yang

DOI: https://doi.org/10.1145/3510003.3510113

2022-01-01

Abstract:Vulnerabilities publicly disclosed in the National Vulnerability Database (NVD) are assigned with CVE (Common Vulnerabilities and Exposures) IDs and associated with specific software versions. Many organizations, including IT companies and government, heavily rely on the disclosed vulnerabilities in NVD to mitigate their security risks. Once a software is claimed as vulnerable by NVD, these organizations would examine the presence of the vulnerable versions of the software and assess the impact on themselves. However, the version information about vulnerable software in NVD is not always reliable. Nguyen et al. find that the version information of many CVE vulnerabilities is spurious and propose an approach based on the original SZZ algorithm (i.e., an approach to identify bug-introducing commits) to assess the software versions affected by CVE vulnerabilities. However, SZZ algorithms are designed for common bugs, while vulnerabilities and bugs are different. Many bugs are introduced by a recent bug-fixing commit, but vulnerabilities are usually introduced in their initial versions. Thus, the current SZZ algorithms often fail to identify the inducing commits for vulnerabilities. Therefore, in this study, we propose an approach based on an improved SZZ algorithm to refine software versions affected by CVE vulnerabilities. Our proposed SZZ algorithm leverages the line mapping algorithms to identify the earliest commit that modified the vulnerable lines, and then considers these commits to be the vulnerability-inducing commits, as opposed to the previous SZZ algorithms that assume the commits that last modified the buggy lines as the inducing commits. To evaluate our proposed approach, we manually annotate the true inducing commits and verify the vulnerable versions for 172 CVE vulnerabilities with fixing commits from two publicly available datasets with five C/C++ and 41 Java projects, respectively. We find that 99 out of 172 vulnerabilities whose version information is spurious. The experiment results show that our proposed approach can identify more vulnerabilities with the true inducing commits and correct vulnerable versions than the previous SZZ algorithms. Our approach outperforms the previous SZZ algorithms in terms of F1-score for identifying vulnerability-inducing commits on both C/C++ and Java projects (0.736 and 0.630, respectively). For refining vulnerable versions, our approach also achieves the best performance on the two datasets in terms of F1-score (0.928 and 0.952).

Xin Tan,Yuan Zhang,Chenyuan Mi,Jiajun Cao,Kun Sun,Yifan Lin,Min Yang

DOI: https://doi.org/10.1145/3460120.3484593

2021-11-12

Abstract:Security patches play an important role in defending against the security threats brought by the increasing OSS vulnerabilities. However, the collection of security patches still remains a challenging problem. Existing works mainly adopt a matching-based design that uses auxiliary information in CVE/NVD to reduce the search scope of patch commits. However, our preliminary study shows that these approaches can only cover a small part of disclosed OSS vulnerabilities (about 12%-53%) even with manual assistance. To facilitate the collection of OSS security patches, this paper proposes a ranking-based approach, named PatchScout, which ranks the code commits in the OSS code repository based on their correlations to a given vulnerability. By exploiting the broad correlations between a vulnerability and code commits, patch commits are expected to be put to front positions in the ranked results. Compared with existing works, our approach could help to locate more security patches and meet a balance between the patch coverage and the manual efforts involved. We evaluate PatchScout with 685 OSS CVEs and the results show that it helps to locate 92.70% patches with acceptable manual workload. To further demonstrate the utility of PatchScout, we perform a study on 5 popular OSS projects and 225 CVEs to understand the patch deployment practice across branches, and we obtain many new findings.

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Kaixuan Li,Jian Zhang,Sen Chen,Han Liu,Yang Liu,Yixiang Chen

DOI: https://doi.org/10.1145/3650212.3680305

2024-07-24

Abstract:Open-source software (OSS) vulnerabilities are increasingly prevalent, emphasizing the importance of security patches. However, in widely used security platforms like NVD, a substantial number of CVE records still lack trace links to patches. Although rank-based approaches have been proposed for security patch tracing, they heavily rely on handcrafted features in a single-step framework, which limits their effectiveness. In this paper, we propose PatchFinder, a two-phase framework with end-to-end correlation learning for better-tracing security patches. In the **initial retrieval** phase, we employ a hybrid patch retriever to account for both lexical and semantic matching based on the code changes and the description of a CVE, to narrow down the search space by extracting those commits as candidates that are similar to the CVE descriptions. Afterwards, in the **re-ranking** phase, we design an end-to-end architecture under the supervised fine-tuning paradigm for learning the semantic correlations between CVE descriptions and commits. In this way, we can automatically rank the candidates based on their correlation scores while maintaining low computation overhead. We evaluated our system against 4,789 CVEs from 532 OSS projects. The results are highly promising: PatchFinder achieves a Recall@10 of 80.63% and a Mean Reciprocal Rank (MRR) of 0.7951. Moreover, the Manual Effort@10 required is curtailed to 2.77, marking a 1.94 times improvement over current leading methods. When applying PatchFinder in practice, we initially identified 533 patch commits and submitted them to the official, 482 of which have been confirmed by CVE Numbering Authorities.

Software Engineering,Artificial Intelligence

Xinchen Wang,Ruida Hu,Cuiyun Gao,Xin-Cheng Wen,Yujia Chen,Qing Liao

2024-02-08

Abstract:Open-Source Software (OSS) vulnerabilities bring great challenges to the software security and pose potential risks to our society. Enormous efforts have been devoted into automated vulnerability detection, among which deep learning (DL)-based approaches have proven to be the most effective. However, the current labeled data present the following limitations: (1) Tangled Patches: Developers may submit code changes unrelated to vulnerability fixes within patches, leading to tangled patches. (2) Lacking Inter-procedural Vulnerabilities: The existing vulnerability datasets typically contain function-level and file-level vulnerabilities, ignoring the relations between functions, thus rendering the approaches unable to detect the inter-procedural vulnerabilities. (3) Outdated Patches: The existing datasets usually contain outdated patches, which may bias the model during training.

Cryptography and Security,Software Engineering

Fei Zuo,Junghwan Rhee

DOI: https://doi.org/10.1007/s10207-023-00795-8

2024-01-07

International Journal of Information Security

Abstract:In recent years, there has been a remarkable surge in the adoption of open-source software (OSS). However, with the growing usage of OSS components in both free and proprietary software, vulnerabilities that are present within them can be spread to a vast array of underlying applications. Even worse, a myriad of vulnerabilities are fixed secretly via patch commits, which causes other software re-using the vulnerable code snippets to be left in the dark. Thus, source code patch commit mining toward vulnerability discovery is receiving immense attention, and a variety of approaches are proposed. Despite that, there is no comprehensive survey summarizing and discussing the current progress within this field. To fill this gap, we survey, evaluate, and systematize a list of literature and provide the community with our insights on both successes and remaining issues in this space. Special attention is paid on the work toward vulnerability discovery. In this paper, we also provide an introductory panorama with our replicable hands-on experience, which can help readers quickly understand and step into the pertinent field. Our empirical study reveals noteworthy challenges which need to be highlighted and addressed in this field. We also discuss potential directions for the future work. To the best of knowledge, we provide the first literature review to study source code patch commit mining in the vulnerability discovery context. The systematic framework, hands-on practices, and list of potential challenges provide new knowledge for mining source code patch commit toward a more robust software eco-system. The research gaps found in this literature review show the need for future research, such as the concern on data quality, high false alarms, and the significance of textual information.

computer science, information systems, theory & methods, software engineering

Xin Tan,Yuan Zhang,Jiajun Cao,Kun Sun,Mi Zhang,Min Yang

DOI: https://doi.org/10.1145/3485447.3512236

2022-01-01

Abstract:Since the users of open source software (OSS) projects may not use the latest version all the time, OSS development teams often support code maintenance for old versions through maintaining multiple stable branches. Typically, the developers create a stable branch for each old stable version, deploy security patches on the branch, and release fixed versions at regular intervals. As such, old-version applications in production environments are protected from the disclosed vulnerabilities in a long time. However, the rapidly growing number of OSS vulnerabilities has greatly strained this patch deployment model, and a critical need has arisen for the security community to understand the practice of security patch management across stable branches. In this work, we conduct a large-scale empirical study of stable branches in OSS projects and the security patches deployed on them via investigating 608 stable branches belonging to 26 popular OSS projects as well as more than 2,000 security fixes for 806 CVEs deployed on stable branches. Our study distills several important findings: (i) more than 80% affected CVE-Branch pairs are unpatched; (ii) the unpatched vulnerabilities could pose a serious security risk to applications in use, with 47.39% of them achieving a CVSS score over 7 (High or Critical Severity); and (iii) the patch porting process requires great manual efforts and takes an average of 40.46 days, significantly extending the time window for N-day vulnerability attacks. Our results reveal the worrying state of security patch management across stable branches. We hope our study can shed some light on improving the practice of patch management in OSS projects.

Ivan Pashchenko,Henrik Plate,Serena Elisa Ponta,Antonino Sabetta,Fabio Massacci

DOI: https://doi.org/10.48550/arXiv.1808.09753

2018-08-29

Software Engineering

Abstract:BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.

Cadence Patrick,Kimberly Ruth,Zakir Durumeric

2024-04-18

Abstract:Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.

Software Engineering,Cryptography and Security

Ziyou Jiang,Lin Shi,Guowei Yang,Qing Wang

2024-08-16

Abstract:Security patches are essential for enhancing the stability and robustness of projects in the software community. While vulnerabilities are officially expected to be patched before being disclosed, patching vulnerabilities is complicated and remains a struggle for many organizations. To patch vulnerabilities, security practitioners typically track vulnerable issue reports (IRs), and analyze their relevant insecure code to generate potential patches. However, the relevant insecure code may not be explicitly specified and practitioners cannot track the insecure code in the repositories, thus limiting their ability to generate patches. In such cases, providing examples of insecure code and the corresponding patches would benefit the security developers to better locate and fix the insecure code. In this paper, we propose PatUntrack to automatically generating patch examples from IRs without tracked insecure code. It auto-prompts Large Language Models (LLMs) to make them applicable to analyze the vulnerabilities. It first generates the completed description of the Vulnerability-Triggering Path (VTP) from vulnerable IRs. Then, it corrects hallucinations in the VTP description with external golden knowledge. Finally, it generates Top-K pairs of Insecure Code and Patch Example based on the corrected VTP description. To evaluate the performance, we conducted experiments on 5,465 vulnerable IRs. The experimental results show that PatUntrack can obtain the highest performance and improve the traditional LLM baselines by +14.6% (Fix@10) on average in patch example generation. Furthermore, PatUntrack was applied to generate patch examples for 76 newly disclosed vulnerable IRs. 27 out of 37 replies from the authors of these IRs confirmed the usefulness of the patch examples generated by PatUntrack, indicating that they can benefit from these examples for patching the vulnerabilities.

Cryptography and Security,Artificial Intelligence,Software Engineering

Zhi Liu,Xiaosong Zhang,Xiongda Li

DOI: https://doi.org/10.1109/mines.2010.108

2010-01-01

Abstract:Software vulnerability is the major root of security issues which results in serious attacks such as DDOS and worms. How to find vulnerability especially on binaries has been an alluring but challenging topic. Traditional black-box fuzzing heavily relies on input format so that it cannot work on unknown formats, more severely, it cannot generate effective test cases because it randomly change input values. Therefore, fuzzing is rarely effective in real-world circumstances. Information flow tracking, namely taint analysis, has been used in recent years in attack detection and malware analysis but no prior work has used this technique to actively find software vulnerability on binaries. In this paper, we propose a novel approach to find software vulnerability via dynamic tainting consisting of three steps. First execute target program with a seed input being independent of input format. Then identify relevant bytes by back tracking from vulnerability points, defined as dangerous library or system calls, to the original input. Finally generate new test cases by mutating relevant bytes while irrelevant parts remain unchanged. It guarantees that new inputs are able to divert execution flow to vulnerability points. We implemented the system in Windows and evaluated two real-world vulnerabilities. Compared with black-box fuzzing, experiment results show our approach can generate effective test inputs to expose vulnerabilities in short time, which also incurs low overhead.

Xi Xu,Qinghua Zheng,Zheng Yan,Ming Fan,Ang Jia,Zhaohui Zhou,Haijun Wang,Ting Liu

DOI: https://doi.org/10.1109/tse.2023.3332732

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:Software vulnerabilities are easily propagated through code reuses, which pose dire threats to software system security. Automatic patch presence test offers an effective way to detect whether vulnerabilities have been patched, which is significant for large-scale software system maintenance. However, most existing approaches cannot handle binary codes. They suffer from low accuracy and poor efficiency. None of them are resilient to version gap, function size, and patch size. To tackle the above problems, we propose PatchDiscovery, a patch presence test approach to identify binary vulnerabilities by extracting key basic blocks of patch and vulnerability as their signatures for patch discovery. We propose an efficient and accurate basic block matching method over the normalized and simplified control flow graphs (CFGs) of a vulnerable function (VF) and its patched function (PF) to precisely locate a vulnerability and a patch. Then, we conduct fine-grained patch-level analysis on the patch and the vulnerability to gain their key basic blocks as the signatures of PF and VF for patch presence test. Concretely, the key basic blocks of PF and VF are separately searched in a target function (TF) to identify whether the TF is more similar to PF or VF, i.e., patched or not. Extensive experiments based on two real-world binary datasets that contain 524 common vulnerabilities and exposures (CVEs) with 11607 target functions reveal that PatchDiscovery is very effective and efficient. It achieves $92.2\%$92.2% F-measure and takes only 0.091s on average to test a target function. It is also resilient to version gap, patch size, and function size to a good extent. Moreover, it is outperforming the state-of-the-art works and has a much faster testing speed for large-scale patch detection. Moreover, PatchDiscovery achieves good performance in firmware vulnerability discovery scenario.

Bingchang Liu,Guozhu Meng,Wei Zou,Qi Gong,Feng Li,Min Lin,Dandan Sun,Wei Huo,Chao Zhang

DOI: https://doi.org/10.1145/3377811.3380923

2020-01-01

Abstract:The number of vulnerabilities increases rapidly in recent years, due to advances in vulnerability discovery solutions. It enables a thorough analysis on the vulnerability distribution and provides support for correlation analysis and prediction of vulnerabilities. Previous research either focuses on analyzing bugs rather than vulnerabilities, or only studies general vulnerability distribution among projects rather than the distribution within each project. In this paper, we collected a large vulnerability dataset, consisting of all known vulnerabilities associated with five representative open source projects, by utilizing automated crawlers and spending months of manual efforts. We then analyzed the vulnerability distribution within each project over four dimensions, including files, functions, vulnerability types and responsible developers. Based on the results analysis, we presented 12 practical insights on the distribution of vulnerabilities. Finally, we applied such insights on several vulnerability discovery solutions (including static analysis and dynamic fuzzing), and helped them find 10 zero-day vulnerabilities in target projects, showing that our insights are useful.

Zhongzhen Wen,Jiayuan Zhou,Minxue Pan,Shaohua Wang,Xing Hu,Tongtong Xu,Tian Zhang,Xuandong Li

DOI: https://doi.org/10.1145/3650212.3652139

2024-01-01

Abstract:The coordinated vulnerability disclosure model, widely adopted in open-source software (OSS) organizations, recommends the silent resolution of vulnerabilities without revealing vulnerability information until their public disclosure. However, the inherently public nature of OSS development leads to security fixes becoming publicly available in repositories weeks before the official disclosure of vulnerabilities. This time gap poses a significant security risk to OSS users, as attackers could discover the fix and exploit vulnerabilities before disclosure. Thus, there is a critical need for OSS users to sense fixes as early as possible to address the vulnerability before any exploitation occurs. In response to this challenge, we introduce EarlyVulnFix, a novel approach designed to identify silent fixes for taint-style vulnerabilities—a persistent class of security weaknesses where attacker-controlled input reaches sensitive operations (sink) without proper sanitization. Leveraging data flow and dependency analysis, our tool distinguishes two types of connections between newly introduced code and sinks, tailored for two common fix scenarios. Our evaluation demonstrates that EarlyVulnFix surpasses state-of-the-art baselines by a substantial margin in terms of F1 score. Furthermore, when applied to the 700 latest commits across seven projects, EarlyVulnFix detected three security fixes before their respective security releases, highlighting its effectiveness in identifying unreported vulnerability fixes in the wild.

J. Arthur Gowan,Richard G. Mathieu,Jie Chen

2004-01-01

Abstract:There is an ongoing debate about the magnitude and characteristics of software vulnerabilities found in open-source versus proprietary software. A software vulnerability is defined as a flaw in a piece of software that has been discovered and exploited. Once publicized, typically by an electronic announcement, the vulnerability is posted to one of several competing online security information services. The software vendor will then respond with a scripted patch or remediation. Data related to software vulnerabilities is available publicly (i.e., CERT, SecurityTracker, Mitre, and SANS) and is often stored in an XML format. However, XML presents several challenges for text mining software. The purpose of this paper is to describe a method for mining XML data that sufficiently addresses these concerns in the context of software vulnerability research. Preliminary results are presented.

Antonino Sabetta,Serena Elisa Ponta,Rocio Cabrera Lozoya,Michele Bezzi,Tommaso Sacchetti,Matteo Greco,Gergő Balogh,Péter Hegedűs,Rudolf Ferenc,Ranindya Paramitha,Ivan Pashchenko,Aurora Papotti,Ákos Milánkovich,Fabio Massacci

DOI: https://doi.org/10.1109/msec.2023.3343836

IF: 3.105

2024-01-01

IEEE Security & Privacy

Abstract:Every day, developers have the daunting task of tracing vulnerabilities back in a morass of commits. In this article, we report the experience of the industrial open source tool, Prospector, to support developers in this task.

computer science, information systems, software engineering

Serena E. Ponta,Henrik Plate,Antonino Sabetta,Michele Bezzi,Cédric Dangremont,Serena Elisa Ponta,Cedric Dangremont

DOI: https://doi.org/10.1109/msr.2019.00064

2019-05-01

Abstract:Advancing our understanding of software vulnerabilities, automating their identification, the analysis of their impact, and ultimately their mitigation is necessary to enable the development of software that is more secure. While operating a vulnerability assessment tool, which we developed, and that is currently used by hundreds of development units at SAP, we manually collected and curated a dataset of vulnerabilities of open-source software, and the commits fixing them. The data were obtained both from the National Vulnerability Database (NVD), and from project-specific web resources, which we monitor on a continuous basis. From that data, we extracted a dataset that maps 624 publicly disclosed vulnerabilities affecting 205 distinct open-source Java projects, used in SAP products or internal tools, onto the 1282 commits that fix them. Out of 624 vulnerabilities, 29 do not have a CVE (Common Vulnerability and Exposure) identifier at all, and 46, which do have such identifier assigned by a numbering authority, are not available in the NVD yet. The dataset is released under an open-source license, together with supporting scripts that allow researchers to automatically retrieve the actual content of the commits from the corresponding repositories, and to augment the attributes available for each instance. Moreover, these scripts allow to complement the dataset with additional instances that are not security fixes (which is useful, for example, in machine learning applications). Our dataset has been successfully used to train classifiers that could automatically identify security-relevant commits in code repositories. The release of this dataset and the supporting code as open-source will allow future research to be based on data of industrial relevance; it also represents a concrete step towards making the maintenance of this dataset a shared effort involving open-source communities, academia, and the industry.