Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

Daan Hommersom; Antonino Sabetta; Bonaventura Coppola; Dario Di Nucci; Damian A. Tamburri

doi:10.1145/3649590

Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

Daan Hommersom
, Antonino Sabetta
, Bonaventura Coppola
, Dario Di Nucci
, Damian A. Tamburri

Data Governance

Research output: Contribution to journal › Article › Academic › peer-review

4 Citations (Scopus)

72 Downloads (Pure)

Abstract

The lack of comprehensive sources of accurate vulnerability data represents a critical obstacle to studying and understanding software vulnerabilities (and their corrections). In this article, we present an approach that combines heuristics stemming from practical experience and machine-learning (ML) - specifically, natural language processing (NLP) - to address this problem. Our method consists of three phases. First, we construct an advisory record object containing key information about a vulnerability that is extracted from an advisory, such as those found in the National Vulnerability Database (NVD). These advisories are expressed in natural language. Second, using heuristics, a subset of candidate fix commits is obtained from the source code repository of the affected project, by filtering out commits that can be identified as unrelated to the vulnerability at hand. Finally, for each of the remaining candidate commits, our method builds a numerical feature vector reflecting the characteristics of the commit that are relevant to predicting its match with the advisory at hand. Based on the values of these feature vectors, our method produces a ranked list of candidate fixing commits. The score attributed by the ML model to each feature is kept visible to the users, allowing them to easily interpret the predictions.We implemented our approach and we evaluated it on an open data set, built by manual curation, that comprises 2,391 known fix commits corresponding to 1,248 public vulnerability advisories. When considering the top-10 commits in the ranked results, our implementation could successfully identify at least one fix commit for up to 84.03% of the vulnerabilities (with a fix commit on the first position for 65.06% of the vulnerabilities). Our evaluation shows that our method can reduce considerably the manual effort needed to search open-source software (OSS) repositories for the commits that fix known vulnerabilities.

Original language	English
Article number	134
Number of pages	28
Journal	ACM Transactions on Software Engineering and Methodology
Volume	33
Issue number	5
DOIs	https://doi.org/10.1145/3649590
Publication status	Published - 4 Jun 2024

Bibliographical note

Publisher Copyright:
© 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.

Funding

Funders	Funder number
European Union's Horizon 2020 - Research and Innovation Framework Programme	952647

Keywords

code-level vulnerability data
common vulnerabilities and exposures (CVE)
machine learning applied to software security
mining software repositories
National Vulnerability Database (NVD)
Open source software
software security

Access to Document

10.1145/3649590

pdfFinal published version, 3.04 MBLicence: TAVERNE

Cite this

@article{bb689eb31e404525980deeeecaa15843,

title = "Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories",

abstract = "The lack of comprehensive sources of accurate vulnerability data represents a critical obstacle to studying and understanding software vulnerabilities (and their corrections). In this article, we present an approach that combines heuristics stemming from practical experience and machine-learning (ML) - specifically, natural language processing (NLP) - to address this problem. Our method consists of three phases. First, we construct an advisory record object containing key information about a vulnerability that is extracted from an advisory, such as those found in the National Vulnerability Database (NVD). These advisories are expressed in natural language. Second, using heuristics, a subset of candidate fix commits is obtained from the source code repository of the affected project, by filtering out commits that can be identified as unrelated to the vulnerability at hand. Finally, for each of the remaining candidate commits, our method builds a numerical feature vector reflecting the characteristics of the commit that are relevant to predicting its match with the advisory at hand. Based on the values of these feature vectors, our method produces a ranked list of candidate fixing commits. The score attributed by the ML model to each feature is kept visible to the users, allowing them to easily interpret the predictions.We implemented our approach and we evaluated it on an open data set, built by manual curation, that comprises 2,391 known fix commits corresponding to 1,248 public vulnerability advisories. When considering the top-10 commits in the ranked results, our implementation could successfully identify at least one fix commit for up to 84.03\% of the vulnerabilities (with a fix commit on the first position for 65.06\% of the vulnerabilities). Our evaluation shows that our method can reduce considerably the manual effort needed to search open-source software (OSS) repositories for the commits that fix known vulnerabilities.",

keywords = "code-level vulnerability data, common vulnerabilities and exposures (CVE), machine learning applied to software security, mining software repositories, National Vulnerability Database (NVD), Open source software, software security",

author = "Daan Hommersom and Antonino Sabetta and Bonaventura Coppola and \{Di Nucci\}, Dario and Tamburri, \{Damian A.\}",

note = "Publisher Copyright: {\textcopyright} 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.",

year = "2024",

month = jun,

day = "4",

doi = "10.1145/3649590",

language = "English",

volume = "33",

journal = "ACM Transactions on Software Engineering and Methodology",

issn = "1049-331X",

publisher = "Association for Computing Machinery, Inc.",

number = "5",

}

TY - JOUR

T1 - Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

AU - Hommersom, Daan

AU - Sabetta, Antonino

AU - Coppola, Bonaventura

AU - Di Nucci, Dario

AU - Tamburri, Damian A.

PY - 2024/6/4

Y1 - 2024/6/4

N2 - The lack of comprehensive sources of accurate vulnerability data represents a critical obstacle to studying and understanding software vulnerabilities (and their corrections). In this article, we present an approach that combines heuristics stemming from practical experience and machine-learning (ML) - specifically, natural language processing (NLP) - to address this problem. Our method consists of three phases. First, we construct an advisory record object containing key information about a vulnerability that is extracted from an advisory, such as those found in the National Vulnerability Database (NVD). These advisories are expressed in natural language. Second, using heuristics, a subset of candidate fix commits is obtained from the source code repository of the affected project, by filtering out commits that can be identified as unrelated to the vulnerability at hand. Finally, for each of the remaining candidate commits, our method builds a numerical feature vector reflecting the characteristics of the commit that are relevant to predicting its match with the advisory at hand. Based on the values of these feature vectors, our method produces a ranked list of candidate fixing commits. The score attributed by the ML model to each feature is kept visible to the users, allowing them to easily interpret the predictions.We implemented our approach and we evaluated it on an open data set, built by manual curation, that comprises 2,391 known fix commits corresponding to 1,248 public vulnerability advisories. When considering the top-10 commits in the ranked results, our implementation could successfully identify at least one fix commit for up to 84.03% of the vulnerabilities (with a fix commit on the first position for 65.06% of the vulnerabilities). Our evaluation shows that our method can reduce considerably the manual effort needed to search open-source software (OSS) repositories for the commits that fix known vulnerabilities.

AB - The lack of comprehensive sources of accurate vulnerability data represents a critical obstacle to studying and understanding software vulnerabilities (and their corrections). In this article, we present an approach that combines heuristics stemming from practical experience and machine-learning (ML) - specifically, natural language processing (NLP) - to address this problem. Our method consists of three phases. First, we construct an advisory record object containing key information about a vulnerability that is extracted from an advisory, such as those found in the National Vulnerability Database (NVD). These advisories are expressed in natural language. Second, using heuristics, a subset of candidate fix commits is obtained from the source code repository of the affected project, by filtering out commits that can be identified as unrelated to the vulnerability at hand. Finally, for each of the remaining candidate commits, our method builds a numerical feature vector reflecting the characteristics of the commit that are relevant to predicting its match with the advisory at hand. Based on the values of these feature vectors, our method produces a ranked list of candidate fixing commits. The score attributed by the ML model to each feature is kept visible to the users, allowing them to easily interpret the predictions.We implemented our approach and we evaluated it on an open data set, built by manual curation, that comprises 2,391 known fix commits corresponding to 1,248 public vulnerability advisories. When considering the top-10 commits in the ranked results, our implementation could successfully identify at least one fix commit for up to 84.03% of the vulnerabilities (with a fix commit on the first position for 65.06% of the vulnerabilities). Our evaluation shows that our method can reduce considerably the manual effort needed to search open-source software (OSS) repositories for the commits that fix known vulnerabilities.

KW - code-level vulnerability data

KW - common vulnerabilities and exposures (CVE)

KW - machine learning applied to software security

KW - mining software repositories

KW - National Vulnerability Database (NVD)

KW - Open source software

KW - software security

UR - https://www.scopus.com/pages/publications/85195458543

U2 - 10.1145/3649590

DO - 10.1145/3649590

M3 - Article

AN - SCOPUS:85195458543

SN - 1049-331X

VL - 33

JO - ACM Transactions on Software Engineering and Methodology

JF - ACM Transactions on Software Engineering and Methodology

IS - 5

M1 - 134

ER -

Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

Abstract

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this