A Manually-Curated Dataset of Fixes to Vulnerabilities of Open-Source Software

Ponta, Serena Elisa; Plate, Henrik; Sabetta, Antonino; Bezzi, Michele; Dangremont, Cédric

doi:10.1109/msr.2019.00064

Cited by 94 publications

(61 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We will compare our results with these two approaches in the evaluation section. Both our approach and [5] performed extensive data gathering to hand-curate the dataset. However our dataset covers much more VFC and wider range of programming languages whereas [5] only considered Java.…”

Section: Discussionmentioning

confidence: 99%

“…Both our approach and [5] performed extensive data gathering to hand-curate the dataset. However our dataset covers much more VFC and wider range of programming languages whereas [5] only considered Java. The dataset was also heavily focused on industry relevant projects which is not a good indicator of the whole opensource scene in the real world.…”

Section: Discussionmentioning

confidence: 99%

“…However, these tools perform only shallow understanding of the code and may produce many false positives. For example, the author of FlawFinder [5] states that the tool primarily uses simple text pattern matching and does not understand the semantics of the code at all and furthermore advises to use the tool only as guide in finding and removing security vulnerabilities.…”

Section: Static Analysismentioning

confidence: 99%

“…The majority of the static analysis tools have been focused on analyzing software written in high-level languages, e.g. FlawFinder [5], Splint [6], Microsoft PREfast [7] for C/C++, FindBugs [8] for Java and PMD [9] for multiple languages (Java, JavaScript, XML).…”

Section: Literature Review 21 Introductionmentioning

confidence: 99%

“…The dataset is also published by the authors for free to the public. Based on the dataset, they've trained a Support Vector Machine (SVM) classifier to flag suspicious commis which outperformed FlawFinder[5] by reducing false positives by 99% while maintaining the same recall rate. This is very close to our work, but looking at the problem at a slightly different angel, as our work mainly focus on finding VFC instead of VCC.…”

mentioning

confidence: 99%

See 4 more Smart Citations

Automated vulnerability detection system based on commit messages

Wan¹

View full text Add to dashboard Cite

Vulnerabilities in Open Source Software (OSS) are the major culprits of cyber-attacks and security breaches today. To avoid repetitive development and speed up release cycle, software teams nowadays are increasingly relying on OSS. However, many OSS users are unware of the vulnerable components they are using. The de-facto security advisory standard, National Vulnerability Database (NVD) is known to suffer from poor coverage and inconsistency. Sometimes it will take weeks or even months for a Common Vulnerabilities and Exposures (CVE) to be determined and finally patched. Thus, to mitigate against cyber-attacks, it is important to understand both known CVEs and unknown vulnerabilities. In this thesis, we first conducted a large-scale crawling of Git commits for some popular open source repositories like Linux. Second, because there is no prior dataset for security-relevant Git commits, we developed a web-based triage system for security researchers to perform manual labelling of the commits. Finally, after the commits are cleaned and labelled, a deep neural network is implemented to automatically identify vulnerability-fixing commits (VFC) based on the commit messages. The approach has achieved significant better precision than state-of-the-art while improving the recall rate by 16.8%. In the end, we present a thorough quantitative and qualitative analysis of the results and discuss the lessons learned and room for future work.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Static Analysismentioning

confidence: 99%

Section: Literature Review 21 Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

Automated vulnerability detection system based on commit messages

Wan¹

View full text Add to dashboard Cite

show abstract

Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-trained Language Models

Yang

Dineen

Lin

et al. 2021

Deployable Machine Learning for Security Defense

View full text Add to dashboard Cite

A Line-Level Explainable Vulnerability Detection Approach for Java

Mosolygó

Vándor

Hegedűs

et al. 2022

Computational Science and Its Applications – ICCSA 2022 Workshops

View full text Add to dashboard Cite

1 niversity of zegedD oftwre ingineering heprtment 2 prontinde vtdFD zegedD rungry Abstract. qiven our modern soiety9s level of dependeny on s tehE nologyD high qulity nd seurity re not just desirle ut rther vitl properties of urrent softwre systemsF impiril methods leverging the ville rih openEsoure dt nd dvned dt proessing tehniques of wv lgorithms n help softwre developers ensure these propertiesF xonethelessD stteEofEtheErt ug nd vulnerility predition methods re rrely used in prtie due to numerous resonsF he preditions re not tionle in most of the ses due to their level of grnulrity @iFeFD they mrk entire lssesG(les to e uggy or vulnerleA nd euse the methods seldom provide explntion why frgment of soure ode is prolemtiF sn this pperD we present novel tv vulnerility deteE tion method tht ddresses oth of these issuesF st is n dpttion of our previous method for tvript tht is ple of pinpointing vulE nerle soure ode lines of progrm together with prototypeEsed explntionF he method relies on the wordPve similrity of ode frgE ments to known vulnerle soure ode linesF yur empiril evlution showed promising resultsD we ould detet TI7 nd RI7 of the vulnerE le ode lines y )gging only RQ7 nd PP7 of the progrm ode linesD respetivelyD using two of the est detetion on

show abstract

A Manually-Curated Dataset of Fixes to Vulnerabilities of Open-Source Software

Cited by 94 publications

References 10 publications

Automated vulnerability detection system based on commit messages

Automated vulnerability detection system based on commit messages

Few-Sample Named Entity Recognition for Security Vulnerability Reports by Fine-Tuning Pre-trained Language Models

A Line-Level Explainable Vulnerability Detection Approach for Java

Contact Info

Product

Resources

About