Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

11-2022

Abstract

Open-source software (OSS) vulnerability management process is important nowadays, as the number of discovered OSS vulnerabilities is increasing over time. Monitoring vulnerability-fixing commits is a part of the standard process to prevent vulnerability exploitation. Manually detecting vulnerability-fixing commits is, however, time-consuming due to the possibly large number of commits to review. Recently, many techniques have been proposed to automatically detect vulnerability-fixing commits using machine learning. These solutions either: (1) did not use deep learning, or (2) use deep learning on only limited sources of information. This paper proposes VulCurator, a tool that leverages deep learning on richer sources of information, including commit messages, code changes and issue reports for vulnerability-fixing commit classification. Our experimental results show that VulCurator outperforms the state-of-the-art baselines up to 16.1% in terms of F1-score. VulCurator tool is publicly available at https://github.com/ ntgiang71096/VFDetector and https://zenodo.org/record/7034132# .Yw3MN-xBzDI, with a demo video at https://youtu.be/uMlFmWSJYOE.

Keywords

Vulnerability-fixing commits, Deep learning, BERT

Discipline

Information Security

Research Areas

Information Systems and Management

Publication

Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Singapore, 2022 November 14-18

First Page

1726

Last Page

1730

ISBN

9781450394130

Identifier

10.1145/3540250.3558936

Publisher

Association for Computing Machinery

City or Country

Singapore

Additional URL

https://doi.org/10.1145/3540250.3558936

Download

Share

COinS