ICPC 2023
Mon 15 - Tue 16 May 2023 Melbourne, Australia
co-located with ICSE 2023
Context: Predicting software vulnerabilities over code changes is a difficult task due to obtaining real vulnerability data and their associated code fixes from software projects as software organizations are often reluctant to report those. Objective: We aim to propose a vulnerability prediction model that runs after every code change, and identifies vulnerability inducing functions in that version. We also would like to assess the success of node and token based source code representations over abstract syntax trees (ASTs) on predicting vulnerability inducing functions. Method: We train neural networks to represent node embeddings and token embeddings over ASTs in order to obtain feature representations. Then, we build two Graph Neural Networks (GNNs) with node embeddings, and compare them against Convolutional Neural Network (CNN) and Support Vector Machine (SVM) with token representations. Results: We report our empirical analysis over the change history of vulnerability inducing functions of Wireshark project. GraphSAGE model using source code representation via ASTs achieves the highest AUC rate, while CNN models using token representations achieves the highest recall, precision and F1 measure. Conclusion: Representing functions with their structural information extracted from ASTs, either in token form or in complete graph form, is great at predicting vulnerability inducing function versions. Transforming source code into token frequencies as a natural language text fails to build successful models for vulnerability prediction in a real software project.

Tue 16 May

Displayed time zone: Hobart change

11:00 - 12:30
Empirical Studies and RecommendationsResearch / Discussion / Early Research Achievements (ERA) / Journal First at Meeting Room 106
Chair(s): Issam Sedki Concordia University, Vittoria Nardone
11:00
9m
Full-paper
REMS: Recommending Extract Method Refactoring Opportunities via Multi-view Representation of Code Property Graph
Research
Di Cui , Qiangqiang Wang Xidian University, Siqi Wang , Jianlei Chi , Jianan Li Xidian University, Lu Wang Xidian University, Qingshan Li Xidian University
11:09
9m
Full-paper
Automating Method Naming with Context-Aware Prompt-Tuning
Research
Jie Zhu Institute of Software, Chinese Academy of Sciences;University of Chinese Academy of Sciences, Lingwei Li Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Li Yang Institute of Software at Chinese Academy of Sciences, Xiaoxiao Ma Institute of Software, Chinese Academy of Sciences, Chun Zuo Sinosoft
Pre-print
11:18
9m
Full-paper
Generation-based Code Review Automation: How Far Are We?
Research
Xin Zhou Singapore Management University, Singapore, Kisub Kim Singapore Management University, Bowen Xu North Carolina State University, DongGyun Han Royal Holloway, University of London, Junda He Singapore Management University, David Lo Singapore Management University
Pre-print
11:27
9m
Full-paper
Reanalysis of Empirical Data on Java Local Variables with Narrow and Broad Scope
Research
Dror Feitelson Hebrew University
Pre-print
11:36
9m
Talk
Predicting vulnerability inducing function versions using node embeddings and graph neural networks
Journal First
ecem mine özyedierler Istanbul Technical University, Ayse Tosun Istanbul Technical University, Sefa Eren Sahin Faculty of Computer and Informatics Engineering, Istanbul Technical University
11:45
5m
Short-paper
Properly Offer Options to Improve the Practicality of Software Document Completion Tools
Early Research Achievements (ERA)
Zhipeng Cai School of Computer Science, Wuhan University, Songqiang Chen School of Computer Science, Wuhan University, Xiaoyuan Xie School of Computer Science, Wuhan University, China
Media Attached
11:50
40m
Panel
Discussion 6
Discussion