Write a Blog >>
ICSE 2022
Sun 8 - Fri 27 May 2022
Mon 9 May 2022 22:20 - 22:25 at ICSE room 2-even hours - Mining Software Repositories 3 Chair(s): John-Paul Ore
Thu 12 May 2022 05:25 - 05:30 at ICSE room 3-odd hours - Mining Software Repositories 1 Chair(s): Ayushi Rastogi

Vulnerabilities publicly disclosed in the National Vulnerability Database (NVD) are assigned with CVE (Common Vulnerabilities and Exposures) IDs and associated with specific software versions. Many organizations, including IT companies and government, heavily rely on the disclosed vulnerabilities in NVD to mitigate their security risks. Once a software is claimed as vulnerable by NVD, these organizations would examine the presence of the vulnerable versions of the software and assess the impact on themselves. However, the version information about vulnerable software in NVD is not always reliable. Nguyen et al. find that the version information of many CVE vulnerabilities is spurious and propose an approach based on the original SZZ algorithm to assess the software versions affected by CVE vulnerabilities.

However, SZZ algorithms are designed for common bugs, while vulnerabilities and bugs are different. Many bugs are introduced by a recent bug-fixing commit, but vulnerabilities are usually introduced in their initial versions. Thus, the current SZZ algorithms often fail to identify the inducing commits for vulnerabilities. Therefore, in this study, we propose an approach based on an improved SZZ algorithm to refine software versions affected by CVE vulnerabilities. Our proposed SZZ algorithm leverages the line mapping algorithms to identify the earliest commit that modified the vulnerable lines, and then considers these commits to be the vulnerability-inducing commits, as opposed to the previous SZZ algorithms that assume the commits that last modified the buggy lines as the inducing commits. To evaluate our proposed approach, we manually annotate the true inducing commits and verify the vulnerable versions for 172 CVE vulnerabilities with fixing commits from two publicly available datasets with five C/C++ and 41 Java projects, respectively. We find that 99 out of 172 vulnerabilities whose version information is spurious. The experiment results show that our proposed approach can identify more vulnerabilities with the true inducing commits and correct vulnerable versions than the previous SZZ algorithms. Our approach outperforms the previous SZZ algorithms in terms of F1-score for identifying vulnerability-inducing commits on both C/C++ and Java projects (0.736 and 0.630, respectively).For refining vulnerable versions, our approach also achieves the best performance on the two datasets in terms of F1-score (0.928 and 0.952).

Mon 9 May

Displayed time zone: Eastern Time (US & Canada) change

22:00 - 23:00
Mining Software Repositories 3Journal-First Papers / NIER - New Ideas and Emerging Results / Technical Track at ICSE room 2-even hours
Chair(s): John-Paul Ore North Carolina State University
22:00
5m
Talk
Post2Vec: Learning Distributed Representations of Stack Overflow Posts
Journal-First Papers
Bowen Xu Singapore Management University, Thong Hoang Singapore Management University, Singapore, Abhishek Sharma Veracode, Inc., Yang Chengran Singapore Management University, Xin Xia Huawei Software Engineering Application Technology Lab, David Lo Singapore Management University
Link to publication DOI Pre-print
22:05
5m
Talk
On Using Stack Overflow Comment-Edit Pairs to Recommend Code Maintenance Changes
Journal-First Papers
Henry Tang University of Alberta, Sarah Nadi University of Alberta
Link to publication DOI Pre-print Media Attached
22:10
5m
Talk
Understanding Shared Links and Their Intentions to Meet Information Needs in Modern Code Review: A Case Study of the OpenStack and Qt Projects
Journal-First Papers
Dong Wang Kyushu University, Japan, Tao Xiao Nara Institute of Science and Technology, Patanamon Thongtanunam University of Melbourne, Raula Gaikovina Kula Nara Institute of Science and Technology, Kenichi Matsumoto Nara Institute of Science and Technology
Link to publication Media Attached
22:15
5m
Talk
Towards Mining OSS Skills from GitHub Activity
NIER - New Ideas and Emerging Results
Jenny Liang University of Washington, Thomas Zimmermann Microsoft Research, Denae Ford Microsoft Research
DOI Pre-print Media Attached
22:20
5m
Talk
SZZ for Vulnerability: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities
Technical Track
Lingfeng Bao Zhejiang University, Xin Xia Huawei Software Engineering Application Technology Lab, Ahmed E. Hassan Queen's University, Xiaohu Yang Zhejiang University
DOI Pre-print Media Attached
22:25
5m
Talk
Manas: Mining Software Repositories to Assist AutoML
Technical Track
Giang Nguyen Iowa State University, Md Johirul Islam Iowa State University, Rangeet Pan Iowa State University, USA, Hridesh Rajan Iowa State University
DOI Pre-print Media Attached

Thu 12 May

Displayed time zone: Eastern Time (US & Canada) change

05:00 - 06:00
Mining Software Repositories 1Technical Track / Journal-First Papers / SEIP - Software Engineering in Practice at ICSE room 3-odd hours
Chair(s): Ayushi Rastogi University of Groningen, The Netherlands
05:00
5m
Talk
What happens in my code reviews? An investigation on automatically classifying review changes
Journal-First Papers
Enrico Fregnan University of Zurich, Switzerland, Fernando Petrulio University of Zurich, Linda Di Geronimo University of Zurich, Switzerland, Alberto Bacchelli University of Zurich
Link to publication Pre-print Media Attached
05:05
5m
Talk
Bus Factor In Practice
SEIP - Software Engineering in Practice
Elgun Jabrayilzade Bilkent University, Mikhail Evtikhiev JetBrains Research, Eray Tüzün Bilkent University, Vladimir Kovalenko JetBrains Research
Pre-print Media Attached
05:10
5m
Talk
AutoTransform: Automated Code Transformation to Support Modern Code Review Process
Technical Track
Patanamon Thongtanunam University of Melbourne, Chanathip Pornprasit Monash University, Chakkrit Tantithamthavorn Monash University
Pre-print Media Attached
05:15
5m
Talk
What Makes a Good Commit Message?Distinguished Paper Award
Technical Track
Yingchen Tian Beijing Institute of Technology, Yuxia Zhang Beijing Institute of Technology, Klaas-Jan Stol University College Cork, Lero, SINTEF, Lin Jiang Beijing Institute of Technology, Hui Liu Beijing Institute of Technology
Pre-print Media Attached
05:20
5m
Talk
BugListener: Identifying and Synthesizing Bug Reports from Collaborative Live Chats
Technical Track
Lin Shi Institute of Software at Chinese Academy of Sciences, Fangwen Mu Institute of Software Chinese Academy of Sciences, YuMin Zhang Institute of Software, Chinese Academy of Sciences, Ye Yang Stevens Institute of Technology, Junjie Chen Tianjin University, Xiao Chen Monash University, Hanzhi Jiang Institute of Software at Chinese Academy of Sciences, Ziyou Jiang Institute of Software at Chinese Academy of Sciences, Qing Wang Institute of Software at Chinese Academy of Sciences
Pre-print Media Attached
05:25
5m
Talk
SZZ for Vulnerability: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities
Technical Track
Lingfeng Bao Zhejiang University, Xin Xia Huawei Software Engineering Application Technology Lab, Ahmed E. Hassan Queen's University, Xiaohu Yang Zhejiang University
DOI Pre-print Media Attached
Hide past events

Information for Participants
Mon 9 May 2022 22:00 - 23:00 at ICSE room 2-even hours - Mining Software Repositories 3 Chair(s): John-Paul Ore
Info for room ICSE room 2-even hours:

Click here to go to the room on Midspace

Thu 12 May 2022 05:00 - 06:00 at ICSE room 3-odd hours - Mining Software Repositories 1 Chair(s): Ayushi Rastogi
Info for room ICSE room 3-odd hours:

Click here to go to the room on Midspace