VulRepair: a T5-based automated software vulnerability repair

“…Besides, researchers use long short-term memory (LSTM) architecture to capture the long-distance dependencies among code sequences [20,107]. Recently, as a variant of the Seq2Seq model, Transformer [150] has been considered the state-of-the-art NMT repair architecture due to the self-attention mechanism [25,26,40].…”

“…More importantly, it is pretty difficult for repair models to meaningful input representations as characters alone do not have semantic meaning. Generally, there exist two main granularities of code tokenizers used in learning-based APR techniques: word-level tokenizers and [40] and subword-level tokenization [26].…”

“…(1) BPE tokenizer generally needs to be trained upon a given dataset by (1) leveraging a pretokenizer to splits the dataset into words by space-separated tokenization; (2) creating a set of unique words and counting the frequency of each word in the dataset; (3) building a base vocabulary with all symbols that occur in the set of unique words and learning merge rules to form a new symbol from two symbols of the base vocabulary; (4) repeating the above process until the vocabulary is reduced to a reasonable size, which is a pre-defined hyperparameter, before training the tokenizer. For example, VulRepair [40] employs a BPE algorithm to train a subword tokenizer on eight different programming languages (i.e., Ruby, JavaScript, Go, Python, Java, PHP, C, C#) [157] and is suitable for tokenizing source code. In the learning-based APR literature, a majority of repair studies adopt BPE as the tokenization technique, such as CURE [57], CoCoNut [96], SeqTrans [26].…”

“…It is incredibly time-critical to patch reported security vulnerabilities as a belated vulnerability repair could expose software systems to attack [81,84], posing enormous risks to millions of users around the globe and costing billions of dollars in financial losses [67]. Given the potentially disastrous effect when software vulnerabilities are exploited, a mass of learning-based studies has recently been conducted on automated software vulnerability repair [25,40].…”

A Survey of Learning-based Automated Program Repair

“…Besides, researchers use long short-term memory (LSTM) architecture to capture the long-distance dependencies among code sequences [20,107]. Recently, as a variant of the Seq2Seq model, Transformer [150] has been considered the state-of-the-art NMT repair architecture due to the self-attention mechanism [25,26,40].…”

“…More importantly, it is pretty difficult for repair models to meaningful input representations as characters alone do not have semantic meaning. Generally, there exist two main granularities of code tokenizers used in learning-based APR techniques: word-level tokenizers and [40] and subword-level tokenization [26].…”

“…(1) BPE tokenizer generally needs to be trained upon a given dataset by (1) leveraging a pretokenizer to splits the dataset into words by space-separated tokenization; (2) creating a set of unique words and counting the frequency of each word in the dataset; (3) building a base vocabulary with all symbols that occur in the set of unique words and learning merge rules to form a new symbol from two symbols of the base vocabulary; (4) repeating the above process until the vocabulary is reduced to a reasonable size, which is a pre-defined hyperparameter, before training the tokenizer. For example, VulRepair [40] employs a BPE algorithm to train a subword tokenizer on eight different programming languages (i.e., Ruby, JavaScript, Go, Python, Java, PHP, C, C#) [157] and is suitable for tokenizing source code. In the learning-based APR literature, a majority of repair studies adopt BPE as the tokenization technique, such as CURE [57], CoCoNut [96], SeqTrans [26].…”

“…It is incredibly time-critical to patch reported security vulnerabilities as a belated vulnerability repair could expose software systems to attack [81,84], posing enormous risks to millions of users around the globe and costing billions of dollars in financial losses [67]. Given the potentially disastrous effect when software vulnerabilities are exploited, a mass of learning-based studies has recently been conducted on automated software vulnerability repair [25,40].…”

A Survey of Learning-based Automated Program Repair

“…Stable and secure software complexes attract a large customer base. According to S. Pooja [1], which is based on an analysis of The National Vulnerability Database (NVD) (USA), over the past three years, the number of digital code vulnerabilities has increased by 26.6% (2019 -17.3 thousand records / 2021 -21.9 thousand records), data from M. Fu [2] points to the rapid growth of software code vulnerabilities -in 5 times during the last decade, J. Zhou [3] points out that about 64% of the core software of the banks of the global financial community have digital code vulnerabilities, which according to 2021 is estimated in the losses from cybercrime of $ 6 trillion. Analysis of the data presented in the aforementioned publications, as well as in other relevant publications on the specified research vector [4][5][6][7][8][9][10][11][12][13], allows us to come to the following conclusion: 90% of software vulnerabilities are caused by the violations and defects in the source code, 21% of incidents involving loss of confidential data are caused by vulnerabilities in the digital code of software products used, every third software application being implemented and used at present has a digital code body, and in 1000 lines of software code it is revealed up to 60 % of the vulnerabilities.…”

Secure Change Management Process: On the Effectiveness of DevSecOps

Robustness-Enhanced Assertion Generation Method Based on Code Mutation and Attack Defense