SZZ for Vulnerability: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities
Thu 12 May 2022 05:25 - 05:30 at ICSE room 3-odd hours - Mining Software Repositories 1 Chair(s): Ayushi Rastogi
Vulnerabilities publicly disclosed in the National Vulnerability Database (NVD) are assigned with CVE (Common Vulnerabilities and Exposures) IDs and associated with specific software versions. Many organizations, including IT companies and government, heavily rely on the disclosed vulnerabilities in NVD to mitigate their security risks. Once a software is claimed as vulnerable by NVD, these organizations would examine the presence of the vulnerable versions of the software and assess the impact on themselves. However, the version information about vulnerable software in NVD is not always reliable. Nguyen et al. find that the version information of many CVE vulnerabilities is spurious and propose an approach based on the original SZZ algorithm to assess the software versions affected by CVE vulnerabilities.
However, SZZ algorithms are designed for common bugs, while vulnerabilities and bugs are different. Many bugs are introduced by a recent bug-fixing commit, but vulnerabilities are usually introduced in their initial versions. Thus, the current SZZ algorithms often fail to identify the inducing commits for vulnerabilities. Therefore, in this study, we propose an approach based on an improved SZZ algorithm to refine software versions affected by CVE vulnerabilities. Our proposed SZZ algorithm leverages the line mapping algorithms to identify the earliest commit that modified the vulnerable lines, and then considers these commits to be the vulnerability-inducing commits, as opposed to the previous SZZ algorithms that assume the commits that last modified the buggy lines as the inducing commits. To evaluate our proposed approach, we manually annotate the true inducing commits and verify the vulnerable versions for 172 CVE vulnerabilities with fixing commits from two publicly available datasets with five C/C++ and 41 Java projects, respectively. We find that 99 out of 172 vulnerabilities whose version information is spurious. The experiment results show that our proposed approach can identify more vulnerabilities with the true inducing commits and correct vulnerable versions than the previous SZZ algorithms. Our approach outperforms the previous SZZ algorithms in terms of F1-score for identifying vulnerability-inducing commits on both C/C++ and Java projects (0.736 and 0.630, respectively).For refining vulnerable versions, our approach also achieves the best performance on the two datasets in terms of F1-score (0.928 and 0.952).
Mon 9 MayDisplayed time zone: Eastern Time (US & Canada) change
Thu 12 MayDisplayed time zone: Eastern Time (US & Canada) change
05:00 - 06:00 | Mining Software Repositories 1Technical Track / Journal-First Papers / SEIP - Software Engineering in Practice at ICSE room 3-odd hours Chair(s): Ayushi Rastogi University of Groningen, The Netherlands | ||
05:00 5mTalk | What happens in my code reviews? An investigation on automatically classifying review changes Journal-First Papers Enrico Fregnan University of Zurich, Switzerland, Fernando Petrulio University of Zurich, Linda Di Geronimo University of Zurich, Switzerland, Alberto Bacchelli University of Zurich Link to publication Pre-print Media Attached | ||
05:05 5mTalk | Bus Factor In Practice SEIP - Software Engineering in Practice Elgun Jabrayilzade Bilkent University, Mikhail Evtikhiev JetBrains Research, Eray Tüzün Bilkent University, Vladimir Kovalenko JetBrains Research Pre-print Media Attached | ||
05:10 5mTalk | AutoTransform: Automated Code Transformation to Support Modern Code Review Process Technical Track Patanamon Thongtanunam University of Melbourne, Chanathip Pornprasit Monash University, Kla Tantithamthavorn Monash University Pre-print Media Attached | ||
05:15 5mTalk | What Makes a Good Commit Message?Distinguished Paper Award Technical Track Yingchen Tian Beijing Institute of Technology, Yuxia Zhang Beijing Institute of Technology, Klaas-Jan Stol University College Cork, Lero, SINTEF, Lin Jiang Beijing Institute of Technology, Hui Liu Beijing Institute of Technology Pre-print Media Attached | ||
05:20 5mTalk | BugListener: Identifying and Synthesizing Bug Reports from Collaborative Live Chats Technical Track Lin Shi ISCAS, Fangwen Mu Institute of Software Chinese Academy of Sciences, YuMin Zhang Institute of Software, Chinese Academy of Sciences, Ye Yang Stevens Institute of Technology, Junjie Chen Tianjin University, Xiao Chen Monash University, Hanzhi Jiang Institute of Software at Chinese Academy of Sciences, Ziyou Jiang Institute of Software at Chinese Academy of Sciences, Qing Wang Institute of Software at Chinese Academy of Sciences Pre-print Media Attached | ||
05:25 5mTalk | SZZ for Vulnerability: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities Technical Track Lingfeng Bao Zhejiang University, Xin Xia Huawei Software Engineering Application Technology Lab, Ahmed E. Hassan Queen's University, Xiaohu Yang Zhejiang University DOI Pre-print Media Attached | ||