EASE 2024
Tue 18 - Fri 21 June 2024 Salerno, Italy
Thu 20 Jun 2024 15:17 - 15:30 at Room Vietri - Security (1) Chair(s): Giuseppe Scanniello

High-quality datasets of code-level vulnerability data are essen- tial to training effective machine-learning (ML) models that iden- tify security-relevant commits (i.e. commits that introduce or fix a vulnerability). Some datasets of this sort of this sort do exist, built by mining open-source code repositories; however, they typi- cally contain only positive instances (i.e. security-relevant instances). Therefore, the researchers intending to use such datasets in ML applications are left with the task of obtaining a corresponding set of negative examples (here referred to as the negative complement of the dataset). Randomly sampling a negative complement from the target repository is common practice, under the assumption that positive commits are rare. This approach, while efficient and straightfor- ward, leads to a negative complement with commits with easily distinguishable features that are unrelated with security-relevance (e.g., their size, number and type of modified files, etc). In this paper, we present an improved method to obtain a nega- tive complement to a dataset of security-relevant commits. It pro- duces negative commits that are as similar as possible to the positive instances in the starting dataset. We describe our method and we demonstrate it by applying it to an existing dataset of vulnerability- fixing commits. We release the resulting extended dataset and the scripts we used to produce it.

Thu 20 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

14:00 - 15:30
14:00
12m
Talk
Analyzing Prerequisites of known Deserialization Vulnerabilities on Java Applications
Research Papers
Bruno Kreyssig Umeå University, Alexandre Bartel Umeå University
14:12
12m
Talk
An Extensive Comparison of Static Application Security Testing Tools
Research Papers
Matteo Esposito University of Rome Tor Vergata, Valentina Falaschi University of Rome Tor Vergata, Davide Falessi University of Rome Tor Vergata, Italy
Pre-print
14:25
12m
Talk
Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers
Industry
Therese Fehrer JADS, Tilburg University صs-Hertogenbosch, Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Dario Di Nucci University of Salerno, Damian Andrew Tamburri TU/e
14:38
12m
Talk
Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries
Short Papers, Vision and Emerging Results
DOI Pre-print
14:51
12m
Talk
Unveiling iOS Scamwares through Crowdturfing Reviews
Short Papers, Vision and Emerging Results
Zhipeng Xu Shanghai Jiao Tong University
15:04
12m
Talk
Mining REST APIs for Potential Mass Assignment Vulnerabilities
Short Papers, Vision and Emerging Results
Arash Mazidi , Davide Corradini University of Verona, Mohammad Ghafari TU Clausthal
15:17
12m
Talk
Negative Complement of a Set of Vulnerability-Fixing Commits: Method and Dataset
Industry
Rocio Cabrera Lozoya SAP Security Research, Antonino Sabetta SAP Labs, Tommaso Aiello SAP Security Research