HERMES: using commit-issue linking to detect vulnerability-fixing commits
Software projects today rely on many third-party libraries, and therefore, are exposed to vulnerabilities in these libraries. When a library vulnerability is fixed, users are notified and advised to upgrade to a new version of the library. However, not all vulnerabilities are publicly disclosed, and...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2022
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7742 https://ink.library.smu.edu.sg/context/sis_research/article/8745/viewcontent/378600a051.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8745 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-87452023-08-24T09:53:04Z HERMES: using commit-issue linking to detect vulnerability-fixing commits NGUYEN, Truong Giang KANG, Hong Jin LO, David SHARMA, Abhishek SANTOSA, Andrew E. SHARMA, Asankhaya ANG, Ming Yi Software projects today rely on many third-party libraries, and therefore, are exposed to vulnerabilities in these libraries. When a library vulnerability is fixed, users are notified and advised to upgrade to a new version of the library. However, not all vulnerabilities are publicly disclosed, and users may not be aware of vulnerabilities that may affect their applications. Due to the above challenges, there is a need for techniques which can identify and alert users to silent fixes in libraries; commits that fix bugs with security implications that are not officially disclosed. We propose a machine learning approach to automatically identify vulnerability-fixing commits. Existing techniques consider only data within a commit, such as its commit message, which does not always have sufficiently discriminative information. To address this limitation, our approach incorporates the rich source of information from issue trackers. When a commit does not link to an issue, we use a commit-issue link recovery technique to infer the potential missing link. Our experiments are promising; incorporating information from issue trackers boosts the performance of a vulnerability-fixing commit classifier, improving over the strongest baseline by 11.1% on the entire dataset, which includes commits that do not link to an issue. On a subset of the data in which all commits explicitly link to an issue, our approach improves over the baseline by 12.5%. 2022-03-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7742 info:doi/10.1109/SANER53432.2022.00018 https://ink.library.smu.edu.sg/context/sis_research/article/8745/viewcontent/378600a051.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Vulnerability curation Silent fixes Commit classification Commit-issue link recovery Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Vulnerability curation Silent fixes Commit classification Commit-issue link recovery Software Engineering |
| spellingShingle |
Vulnerability curation Silent fixes Commit classification Commit-issue link recovery Software Engineering NGUYEN, Truong Giang KANG, Hong Jin LO, David SHARMA, Abhishek SANTOSA, Andrew E. SHARMA, Asankhaya ANG, Ming Yi HERMES: using commit-issue linking to detect vulnerability-fixing commits |
| description |
Software projects today rely on many third-party libraries, and therefore, are exposed to vulnerabilities in these libraries. When a library vulnerability is fixed, users are notified and advised to upgrade to a new version of the library. However, not all vulnerabilities are publicly disclosed, and users may not be aware of vulnerabilities that may affect their applications. Due to the above challenges, there is a need for techniques which can identify and alert users to silent fixes in libraries; commits that fix bugs with security implications that are not officially disclosed. We propose a machine learning approach to automatically identify vulnerability-fixing commits. Existing techniques consider only data within a commit, such as its commit message, which does not always have sufficiently discriminative information. To address this limitation, our approach incorporates the rich source of information from issue trackers. When a commit does not link to an issue, we use a commit-issue link recovery technique to infer the potential missing link. Our experiments are promising; incorporating information from issue trackers boosts the performance of a vulnerability-fixing commit classifier, improving over the strongest baseline by 11.1% on the entire dataset, which includes commits that do not link to an issue. On a subset of the data in which all commits explicitly link to an issue, our approach improves over the baseline by 12.5%. |
| format |
text |
| author |
NGUYEN, Truong Giang KANG, Hong Jin LO, David SHARMA, Abhishek SANTOSA, Andrew E. SHARMA, Asankhaya ANG, Ming Yi |
| author_facet |
NGUYEN, Truong Giang KANG, Hong Jin LO, David SHARMA, Abhishek SANTOSA, Andrew E. SHARMA, Asankhaya ANG, Ming Yi |
| author_sort |
NGUYEN, Truong Giang |
| title |
HERMES: using commit-issue linking to detect vulnerability-fixing commits |
| title_short |
HERMES: using commit-issue linking to detect vulnerability-fixing commits |
| title_full |
HERMES: using commit-issue linking to detect vulnerability-fixing commits |
| title_fullStr |
HERMES: using commit-issue linking to detect vulnerability-fixing commits |
| title_full_unstemmed |
HERMES: using commit-issue linking to detect vulnerability-fixing commits |
| title_sort |
hermes: using commit-issue linking to detect vulnerability-fixing commits |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2022 |
| url |
https://ink.library.smu.edu.sg/sis_research/7742 https://ink.library.smu.edu.sg/context/sis_research/article/8745/viewcontent/378600a051.pdf |
| _version_ |
1779156955032453120 |