Where is it? Tracing the Vulnerability-relevant Files from Vulnerability Reports
With the widely usage of open-source software, supply-chain-based vulnerability attacks, including SolarWind and Log4Shell, have posed significant risks to software security. Currently, people rely on vulnerability advisory databases or commercial software bill of materials (SBOM) to defend against potential risks. Unfortunately, these datasets do not provide finer-grained file-level vulnerability information, compromising their effectiveness. Previous works have not adequately addressed this issue, and mainstream vulnerability detection methods have their drawbacks that hinder resolving this gap. Driven by the real needs, we propose a framework that can trace the vulnerability-relevant file for each disclosed vulnerability. Our approach uses NVD descriptions with metadata as the inputs, and employs a series of strategies with a LLM model, search engine, heuristic-based text matching method and a deep learning classifier to recommend the most likely vulnerability-relevant file, effectively enhancing the completeness of existing NVD data. Our experiments confirm that the efficiency of the proposed framework, with CodeBERT achieving 0.92 AUC and 0.85 MAP, and our user study proves our approach can help with vulnerability-relevant file detection effectively. To the best of our knowledge, our work is the first one focusing on tracing vulnerability-relevant files, laying the groundwork of building finer-grained vulnerability-aware software bill of materials.
Wed 17 AprDisplayed time zone: Lisbon change
14:00 - 15:30 | Analytics & AIResearch Track / Journal-first Papers at Sophia de Mello Breyner Andresen Chair(s): Lingming Zhang University of Illinois at Urbana-Champaign | ||
14:00 15mTalk | DeepLSH: Deep Locality-Sensitive Hash Learning for Fast and Efficient Near-Duplicate Crash Report Detection Research Track Youcef REMIL INSA Lyon, INFOLOGIC, Anes Bendimerad Infologic, Romain Mathonat Infologic, Chedy raissi Ubisoft, Mehdi Kaytoue Infologic | ||
14:15 15mTalk | DivLog: Log Parsing with Prompt Enhanced In-Context Learning Research Track Junjielong Xu The Chinese University of Hong Kong, Shenzhen, Ruichun Yang The Chinese University of Hong Kong, Shenzhen, Yintong Huo The Chinese University of Hong Kong, Chengyu Zhang ETH Zurich, Pinjia He Chinese University of Hong Kong, Shenzhen | ||
14:30 15mTalk | Where is it? Tracing the Vulnerability-relevant Files from Vulnerability Reports Research Track Jiamou Sun CSIRO's Data61, Jieshan Chen CSIRO's Data61, Zhenchang Xing CSIRO's Data61, Qinghua Lu Data61, CSIRO, Xiwei (Sherry) Xu Data61, CSIRO, Liming Zhu CSIRO’s Data61 | ||
14:45 15mTalk | Demystifying and Detecting Misuses of Deep Learning APIs Research Track Moshi Wei York University, Nima Shiri Harzevili York University, Yuekai Huang Institute of Software, Chinese Academy of Sciences, Jinqiu Yang Concordia University, Junjie Wang Institute of Software, Chinese Academy of Sciences, Song Wang York University | ||
15:00 7mTalk | Toward Understanding Deep Learning Framework Bugs Journal-first Papers Junjie Chen Tianjin University, Yihua Liang College of Intelligence and Computing, Tianjin University, Qingchao Shen Tianjin University, Jiajun Jiang Tianjin University, Shuochuan Li College of Intelligence and Computing, Tianjin University | ||
15:07 7mTalk | Fair Enough: Searching for Sufficient Measures of Fairness Journal-first Papers Suvodeep Majumder North Carolina State University, Joymallya Chakraborty Amazon.com, Gina Bai North Carolina State University, Kathryn Stolee North Carolina State University, Tim Menzies North Carolina State University DOI Pre-print | ||
15:14 7mTalk | Representation Learning for Stack Overflow Posts: How Far are We? Journal-first Papers Junda He Singapore Management University, Xin Zhou Singapore Management University, Singapore, Bowen Xu North Carolina State University, Ting Zhang Singapore Management University, Kisub Kim Singapore Management University, Singapore, Zhou Yang Singapore Management University, Ferdian Thung Singapore Management University, Ivana Clairine Irsan Singapore Management University, David Lo Singapore Management University | ||
15:21 7mTalk | Journal First: Learning from Very Little Data: On the Value of Landscape Analysis for Predicting Software Project Health) Journal-first Papers DOI Pre-print |