HERMES: using commit-issue linking to detect vulnerability-fixing commits

Author

Truong Giang NGUYEN, Singapore Management UniversityFollow
Hong Jin KANG, Singapore Management UniversityFollow
David LO, Singapore Management UniversityFollow
Abhishek SHARMA
Andrew E. SANTOSA
Asankhaya SHARMA
Ming Yi ANG

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

3-2022

Abstract

Software projects today rely on many third-party libraries, and therefore, are exposed to vulnerabilities in these libraries. When a library vulnerability is fixed, users are notified and advised to upgrade to a new version of the library. However, not all vulnerabilities are publicly disclosed, and users may not be aware of vulnerabilities that may affect their applications. Due to the above challenges, there is a need for techniques which can identify and alert users to silent fixes in libraries; commits that fix bugs with security implications that are not officially disclosed. We propose a machine learning approach to automatically identify vulnerability-fixing commits. Existing techniques consider only data within a commit, such as its commit message, which does not always have sufficiently discriminative information. To address this limitation, our approach incorporates the rich source of information from issue trackers. When a commit does not link to an issue, we use a commit-issue link recovery technique to infer the potential missing link. Our experiments are promising; incorporating information from issue trackers boosts the performance of a vulnerability-fixing commit classifier, improving over the strongest baseline by 11.1% on the entire dataset, which includes commits that do not link to an issue. On a subset of the data in which all commits explicitly link to an issue, our approach improves over the baseline by 12.5%.

Keywords

Vulnerability curation, Silent fixes, Commit classification, Commit-issue link recovery

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

2022 IEEE International Conference on Software Analysis, Evolution and Reengineering, Honolulu, HI, March 15-18: Prceedings

First Page

51

Last Page

62

ISBN

9781665437868

Identifier

10.1109/SANER53432.2022.00018

Publisher

IEEE

City or Country

Piscataway, NJ

Citation

NGUYEN, Truong Giang; KANG, Hong Jin; LO, David; SHARMA, Abhishek; SANTOSA, Andrew E.; SHARMA, Asankhaya; and ANG, Ming Yi. HERMES: using commit-issue linking to detect vulnerability-fixing commits. (2022). 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering, Honolulu, HI, March 15-18: Prceedings. 51-62.
Available at: https://ink.library.smu.edu.sg/sis_research/7742

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/SANER53432.2022.00018