A large-scale empirical study on vulnerability distribution within projects and the lessons learned

Liu, Bingchang; Meng, Guozhu; Zou, Wei; Gong, Qi; Li, Feng; Min, Lin; Sun, Dandan; Huo, Wei; Zhang, Chao

doi:10.1145/3377811.3380923

Cited by 34 publications

(23 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We excluded databases from the security community (e.g., CVE List and NVD) because i) they do not have patches structurally included but have patches potentially hidden in references, and ii) they contain vulnerabilities that go beyond OSS vulnerabilities. We also excluded databases from academia (e.g., [29], [40], [41], [44], [48], [51], [55], [61]) because i) they mostly only cover specific ecosystems or projects and ii) they lack continued maintenance and become out of date after publication. Thus, we restricted our selection to industrial databases.…”

Section: Data Preparationmentioning

confidence: 99%

TRACER: Finding Patches for Open Source Software Vulnerabilities

Xu¹,

Chen²,

Lu³

et al. 2021

Preprint

View full text Add to dashboard Cite

Open source software (OSS) vulnerability management has become an open problem. Vulnerability databases provide valuable data that is needed to address OSS vulnerabilities. However, there arises a growing concern about the information quality of vulnerability databases. In particular, it is unclear how the quality of patches in existing vulnerability databases is. Further, existing manual or heuristic-based approaches for patch identification are either too expensive or too specific to be applied to all OSS vulnerabilities. To address these problems, we first conduct an empirical study to understand the quality and characteristics of patches for OSS vulnerabilities in two state-of-the-art vulnerability databases. Our study is designed to cover five dimensions, i.e., the coverage, consistency, type, cardinality and accuracy of patches. Then, inspired by our study, we propose the first automated approach, named TRACER, to find patches for an OSS vulnerability from multiple sources. Our key idea is that patch commits will be frequently referenced during the reporting, discussion and resolution of an OSS vulnerability. Our extensive evaluation has indicated that i) TRACER finds patches for up to 273.8% more CVEs than existing heuristic-based approaches while achieving a significantly higher F1-score by up to 116.8%; and ii) TRACER achieves a higher recall by up to 18.4% than state-of-the-art vulnerability databases, but sacrifices up to 12.0% fewer CVEs (whose patches are not found) and 6.4% lower precision. Our evaluation has also demonstrated the generality and usefulness of TRACER.

show abstract

Section: Data Preparationmentioning

confidence: 99%

TRACER: Finding Patches for Open Source Software Vulnerabilities

Xu¹,

Chen²,

Lu³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…In particular, a few available datasets assist researchers to mine repositories with the goal to better understand software vulnerabilities [7,10,13,18,19]. Investigating characteristics of vulnerabilities for open-source software can provide findings that should lead to the development of more secure systems [10].…”

Section: Background and Related Workmentioning

confidence: 99%

“…From such databases, researchers can crawl their records to gather useful information such as the CVE identification, vulnerability classification, publish date and etc. Then, they can select CVE or NVD records that have reference links of publicly GitHub repositories [7,13]. These links lead to actual code commits containing the addition of a known vulnerability to a given project stored on GitHub.…”

Section: Datasets For Software Vulnerabilitiesmentioning

confidence: 99%

“…Besides collecting a dataset, Liu et al analyze whether vulnerability occurrence location, time, type, author, and dependency could facilitate its detection [13]. They draw interesting findings such as stating that a higher complexity of code cannot necessarily induce more vulnerabilities.…”

Section: Repository Analysis For Software Vulnerabilitiesmentioning

confidence: 99%

“…We choose the Big-Vul as the first dataset of our work because it is free of cost and contains scripts to help unpacking and analyzing the data. Additionally, it has more than 3000 vulnerability records, which is a large number comparing to others [13,18,19].…”

Section: Case Study: Big-vulmentioning

confidence: 99%

See 2 more Smart Citations

Investigating vulnerability datasets

Andrade¹,

Santos²

2021

Anais Do IX Workshop De Visualização, Evolução E Manutenção De Software (VEM 2021)

View full text Add to dashboard Cite

Insecure software can cause severe damage to user experience and privacy. Therefore, developers should be able to prevent software vulnerabilities. However, detecting such problems is expensive and time consuming. To mitigate this issue, researchers propose vulnerability datasets to make it easier to investigate its properties. In this work, we investigate one dataset to better understand common vulnerabilities, the authors who introduce them to open-source projects, and commit properties. Thus, we use as case study the Big-Vul dataset to help us answering the six research questions we define for this work. Our preliminary results indicate that the most common vulnerabilities occur in the Chromium project. Furthermore, mostly experienced authors are responsible for introducing these vulnerabilities. Last but not least, we conclude that such findings could help developers on detecting vulnerabilities.

show abstract