VulCurator: A Vulnerability-Fixing Commit Detector
- URL: http://arxiv.org/abs/2209.03260v1
- Date: Wed, 7 Sep 2022 16:11:31 GMT
- Title: VulCurator: A Vulnerability-Fixing Commit Detector
- Authors: Truong Giang Nguyen, Thanh Le-Cong, Hong Jin Kang, Xuan-Bach D. Le,
David Lo
- Abstract summary: VulCurator is a tool that leverages deep learning on richer sources of information.
VulCurator outperforms the state-of-the-art baselines up to 16.1% in terms of F1-score.
- Score: 8.32137934421055
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Open-source software (OSS) vulnerability management process is important
nowadays, as the number of discovered OSS vulnerabilities is increasing over
time. Monitoring vulnerability-fixing commits is a part of the standard process
to prevent vulnerability exploitation. Manually detecting vulnerability-fixing
commits is, however, time consuming due to the possibly large number of commits
to review. Recently, many techniques have been proposed to automatically detect
vulnerability-fixing commits using machine learning. These solutions either:
(1) did not use deep learning, or (2) use deep learning on only limited sources
of information. This paper proposes VulCurator, a tool that leverages deep
learning on richer sources of information, including commit messages, code
changes and issue reports for vulnerability-fixing commit classifica- tion. Our
experimental results show that VulCurator outperforms the state-of-the-art
baselines up to 16.1% in terms of F1-score. VulCurator tool is publicly
available at https://github.com/ntgiang71096/VFDetector and
https://zenodo.org/record/7034132#.Yw3MN-xBzDI, with a demo video at
https://youtu.be/uMlFmWSJYOE.
Related papers
- Discovery of Timeline and Crowd Reaction of Software Vulnerability Disclosures [47.435076500269545]
Apache Log4J was found to be vulnerable to remote code execution attacks.
More than 35,000 packages were forced to update their Log4J libraries with the latest version.
It is practically reasonable for software developers to update their third-party libraries whenever the software vendors have released a vulnerable-free version.
arXiv Detail & Related papers (2024-11-12T01:55:51Z) - Fixing Security Vulnerabilities with AI in OSS-Fuzz [9.730566646484304]
OSS-Fuzz is the most significant and widely used infrastructure for continuous validation of open source systems.
We customise the well-known AutoCodeRover agent for fixing security vulnerabilities.
Our experience with OSS-Fuzz vulnerability data shows that LLM agent autonomy is useful for successful security patching.
arXiv Detail & Related papers (2024-11-03T16:20:32Z) - The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - VulZoo: A Comprehensive Vulnerability Intelligence Dataset [12.229092589037808]
VulZoo is a comprehensive vulnerability intelligence dataset that covers 17 popular vulnerability information sources.
We make VulZoo publicly available and maintain it with incremental updates to facilitate future research.
arXiv Detail & Related papers (2024-06-24T06:39:07Z) - Game Rewards Vulnerabilities: Software Vulnerability Detection with
Zero-Sum Game and Prototype Learning [17.787508315322906]
We propose a software vulneRability dEteCtion framework with zerO-sum game and prototype learNing, named RECON.
We show that RECON outperforms the state-of-the-art baseline by 6.29% in F1 score.
arXiv Detail & Related papers (2024-01-16T05:50:42Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Statement-Level Vulnerability Detection: Learning Vulnerability Patterns Through Information Theory and Contrastive Learning [31.15123852246431]
We propose a novel end-to-end deep learning-based approach to identify the vulnerability-relevant code statements of a specific function.
Inspired by the structures observed in real-world vulnerable code, we first leverage mutual information for learning a set of latent variables.
We then propose novel clustered spatial contrastive learning in order to further improve the representation learning.
arXiv Detail & Related papers (2022-09-20T00:46:20Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Automated Mapping of Vulnerability Advisories onto their Fix Commits in
Open Source Repositories [7.629717457706326]
We present an approach that combines practical experience and machine-learning (ML)
An advisory record containing key information about a vulnerability is extracted from an advisory.
A subset of candidate fix commits is obtained from the source code repository of the affected project.
arXiv Detail & Related papers (2021-03-24T17:50:35Z) - ESCORT: Ethereum Smart COntRacTs Vulnerability Detection using Deep
Neural Network and Transfer Learning [80.85273827468063]
Existing machine learning-based vulnerability detection methods are limited and only inspect whether the smart contract is vulnerable.
We propose ESCORT, the first Deep Neural Network (DNN)-based vulnerability detection framework for smart contracts.
We show that ESCORT achieves an average F1-score of 95% on six vulnerability types and the detection time is 0.02 seconds per contract.
arXiv Detail & Related papers (2021-03-23T15:04:44Z) - D2A: A Dataset Built for AI-Based Vulnerability Detection Methods Using
Differential Analysis [55.15995704119158]
We propose D2A, a differential analysis based approach to label issues reported by static analysis tools.
We use D2A to generate a large labeled dataset to train models for vulnerability identification.
arXiv Detail & Related papers (2021-02-16T07:46:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.