Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers (EASE 2024 - Industry) - EASE 2024

Tue 18 - Fri 21 June 2024 Salerno, Italy

Who

Therese Fehrer, Rocio Cabrera Lozoya, Antonino Sabetta, Dario Di Nucci, Damian Andrew Tamburri

Track

EASE 2024 Industry

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

When

Thu 20 Jun 2024 14:25 - 14:38 at Room Vietri - Security (1) Chair(s): Giuseppe Scanniello

Abstract

The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we report our findings from using features ex- tracted from four (PMD, Checkstyle, CK, Progex) off-the-shelf static code analyzers relying on pattern matching, software met- rics or program analysis in a machine-learning pipeline to identify source code commits that contain vulnerability fixes. We show that successful machine learning models based on base classifiers and ensemble techniques can be trained on the combination of the features.

Therese Fehrer

JADS, Tilburg University صs-Hertogenbosch

Rocio Cabrera Lozoya

SAP Security Research

Antonino Sabetta

SAP Labs

France

Dario Di Nucci

University of Salerno

Italy

Damian Andrew Tamburri

TU/e

Netherlands

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Session Program

Thu 20 Jun
Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

	14:00 - 15:30	Security (1)Industry / Research Papers / Short Papers, Vision and Emerging Results at Room Vietri Chair(s): Giuseppe Scanniello University of Salerno

	14:00 12m Talk		Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications Research Papers Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
	14:12 12m Talk		An Extensive Comparison of Static Application Security Testing Tools Research Papers Matteo Esposito University of Rome Tor Vergata, Valentina Falaschi University of Rome Tor Vergata, Davide Falessi University of Rome Tor Vergata, Italy Pre-print
	14:25 12m Talk		Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers Industry Therese Fehrer JADS, Tilburg University صs-Hertogenbosch, Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Dario Di Nucci University of Salerno, Damian Andrew Tamburri TU/e
	14:38 12m Talk		Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries Short Papers, Vision and Emerging Results Alexandros Tsakpinis fortiss GmbH, Alexander Pretschner TU Munich DOI Pre-print
	14:51 12m Talk		Unveiling iOS Scamwares through Crowdturfing Reviews Short Papers, Vision and Emerging Results Zhipeng Xu Shanghai Jiao Tong University
	15:04 12m Talk		Mining REST APIs for Potential Mass Assignment Vulnerabilities Short Papers, Vision and Emerging Results Arash Mazidi , Davide Corradini University of Verona, Mohammad Ghafari TU Clausthal
	15:17 12m Talk		Negative Complement of a Set of Vulnerability-Fixing Commits: Method and Dataset Industry Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Tommaso Aiello SAP Security Research