Aligning software product versions to commits is extremely important for fixing vulnerabilities in released versions. Existing work is proposed based on tags in the code repository. However, in practice, many software versions widely used in IT companies are reported with many high-risk vulnerabilities. In contrast, they have no indicator information (i.e., tags) in their source code repository. Such a situation results in the difficulty of tracing special versions to their particular commits for effectively fixing vulnerabilities. In this paper, we first study the software released on the Maven repository and hosted on GitHub. We collect and analyze the statistics of those versions that are reported with high-risk vulnerabilities but have no explicit information to locate the commit where they are released. To effectively locate the commits where a special version is released, we propose a novel approach named ContentAlignment and make a comprehensive comparison with three baselines that are proposed based on the two most common strategies: time-based ones and range-based ones. The experimental results on our built dataset indicate that ContentAlignment can obtain a good performance of 0.89 in terms of accuracy when identifying the commit range which covers the truth release commit of a specific version and improves baselines by 50.3%-102.2%. Besides, we also conduct a human study with 10 participants to evaluate the performance and usefulness of ContentAlignment, the user feedback indicates that ContentAlignment can effectively help participants align vulnerability versions to commits to the code repository
Wed 4 DecDisplayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change
16:00 - 17:30 | Session (7)Technical Track / ERA - Early Research Achievements at Room 4 (Xianglin Ballroom) Chair(s): Cuiyun Gao Harbin Institute of Technology | ||
16:00 30mTalk | Automatic Commit Range Identification of Untagged Version Technical Track Yan Zhu Zhejiang University, Lingfeng Bao Zhejiang University, Chengjie Chen Zhejiang University, Lexiao Zhang School of Software Technology, Zhejiang University, Xin Yin Zhejiang University, Chao Ni Zhejiang University | ||
16:30 30mTalk | Classifying Bug Issue Types for Deep Learning-oriented Projects with Pre-Trained Model Technical Track Zixuan Zeng School of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Yu Zhao , Lina Gong Nanjing University of Aeronautics and Astronautic | ||
17:00 20mTalk | GHA-BFP: Framework for Automated Build Failure Prediction in GitHub Actions ERA - Early Research Achievements Jiatai Li National University of Defense Technology, Yang Zhang National University of Defense Technology, China, Tao Wang National University of Defense Technology, Yiwen Wu National University of Defense Technology |