ReposVul: A Repository-Level High-Quality Vulnerability Dataset
Open-Source Software (OSS) vulnerabilities bring great challenges to the software security and pose potential risks to our society. Enormous efforts have been devoted into automated vulnerability detection, among which deep learning (DL)-based approaches have proven to be the most effective. However, the performance of the DL-based approaches generally relies on the quantity and quality of labeled data, and the current labeled data present the following limitations: (1) \textbf{Tangled Patches}: Developers may submit code changes unrelated to vulnerability fixes within patches, leading to tangled patches. (2) \textbf{Lacking Inter-procedural Vulnerabilities}: The existing vulnerability datasets typically contain function-level and file-level vulnerabilities, ignoring the relations between functions, thus rendering the approaches unable to detect the inter-procedural vulnerabilities. (3) \textbf{Outdated Patches}: The existing datasets usually contain outdated patches, which may bias the model during training.
To address the above limitations, in this paper, we propose an automated data collection framework and construct the first repository-level high-quality vulnerability dataset named \textbf{ReposVul}. The proposed framework mainly contains three modules: (1) A vulnerability untangling module, aiming at distinguishing vulnerability-fixing related code changes from tangled patches, in which the Large Language Models (LLMs) and static analysis tools are jointly employed. (2) A multi-granularity dependency extraction module, aiming at capturing the inter-procedural call relationships of vulnerabilities, in which we construct multiple-granularity information for each vulnerability patch, including repository-level, file-level, function-level, and line-level. (3) A trace-based filtering module, aiming at filtering the outdated patches, which leverages the file path trace-based filter and commit time trace-based filter to construct an up-to-date dataset.
The constructed repository-level ReposVul encompasses 6,134 CVE entries representing 236 CWE types across 1,491 projects and four programming languages. Thorough data analysis and manual checking demonstrate that ReposVul is high in quality and alleviates the problems of tangled and outdated patches in previous vulnerability datasets.
| (ICSE论文.pdf) | 2.65MiB |
Wed 17 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Evolution 1Research Track / Journal-first Papers / Demonstrations / Industry Challenge Track at Amália Rodrigues Chair(s): Jonathan Sillito Brigham Young University | ||
14:00 15mTalk | Large Language Models are Few-Shot Summarizers: Multi-Intent Comment Generation via In-Context Learning Research Track Mingyang Geng National University of Defense Technology, Shangwen Wang National University of Defense Technology, Dezun Dong NUDT, Haotian Wang National University of Defense Technolog, Ge Li Peking University, Zhi Jin Peking University, Xiaoguang Mao National University of Defense Technology, Liao Xiangke National University of Defense Technology DOI Pre-print | ||
14:15 15mTalk | Block-based Programming for Two-Armed Robots: A Comparative Study Research Track Felipe Fronchetti Virginia Commonwealth University, Nico Ritschel University of British Columbia, Logan Schorr Virginia Commonwealth University, Chandler Barfield Virginia Commonwealth University, Gabriella Chang Virginia Commonwealth University, Rodrigo Spinola Virginia Commonwealth University, Reid Holmes University of British Columbia, David C. Shepherd Louisiana State University DOI Pre-print Media Attached | ||
14:30 15mTalk | Exploiting Library Vulnerability via Migration Based Automating Test Generation Research Track Zirui Chen , Xing Hu Zhejiang University, Xin Xia Huawei Technologies, Yi Gao Zhejiang University, Tongtong Xu Huawei, David Lo Singapore Management University, Xiaohu Yang Zhejiang University | ||
14:45 15mTalk | ReposVul: A Repository-Level High-Quality Vulnerability Dataset Industry Challenge Track Xinchen Wang Harbin Institute of Technology, Ruida Hu Harbin Institute of Technology, Shenzhen, Cuiyun Gao Harbin Institute of Technology, Xin-Cheng Wen Harbin Institute of Technology, Yujia Chen Harbin Institute of Technology, Shenzhen, Qing Liao Harbin Institute of Technology Pre-print File Attached | ||
15:00 7mTalk | JOG: Java JIT Peephole Optimizations and Tests from Patterns Demonstrations Zhiqiang Zang The University of Texas at Austin, Aditya Thimmaiah The University of Texas at Austin, Milos Gligoric The University of Texas at Austin DOI Pre-print | ||
15:07 7mTalk | Predicting the Change Impact of Resolving Defects by Leveraging the Topics of Issue Reports in Open Source Software Systems Journal-first Papers Maram Assi Queen's University, Safwat Hassan University of Toronto, Canada, Stefanos Georgiou Queen's University, Ying Zou Queen's University, Kingston, Ontario | ||
15:14 7mTalk | Assessing the Exposure of Software Changes Journal-first Papers Mehran Meidani University of Waterloo, Maxime Lamothe Polytechnique Montreal, Shane McIntosh University of Waterloo Link to publication Pre-print | ||
15:21 7mTalk | Responding to change over time: A longitudinal case study on changes in coordination mechanisms in large‑scale agile Journal-first Papers Marthe Berntzen University of Oslo, Viktoria Stray University of Oslo, Nils Brede Moe , Rashina Hoda Monash University | ||