ICSE 2024
Fri 12 - Sun 21 April 2024 Lisbon, Portugal
Wed 17 Apr 2024 14:30 - 14:45 at Sophia de Mello Breyner Andresen - Analytics & AI Chair(s): Lingming Zhang

With the widely usage of open-source software, supply-chain-based vulnerability attacks, including SolarWind and Log4Shell, have posed significant risks to software security. Currently, people rely on vulnerability advisory databases or commercial software bill of materials (SBOM) to defend against potential risks. Unfortunately, these datasets do not provide finer-grained file-level vulnerability information, compromising their effectiveness. Previous works have not adequately addressed this issue, and mainstream vulnerability detection methods have their drawbacks that hinder resolving this gap. Driven by the real needs, we propose a framework that can trace the vulnerability-relevant file for each disclosed vulnerability. Our approach uses NVD descriptions with metadata as the inputs, and employs a series of strategies with a LLM model, search engine, heuristic-based text matching method and a deep learning classifier to recommend the most likely vulnerability-relevant file, effectively enhancing the completeness of existing NVD data. Our experiments confirm that the efficiency of the proposed framework, with CodeBERT achieving 0.92 AUC and 0.85 MAP, and our user study proves our approach can help with vulnerability-relevant file detection effectively. To the best of our knowledge, our work is the first one focusing on tracing vulnerability-relevant files, laying the groundwork of building finer-grained vulnerability-aware software bill of materials.

Wed 17 Apr

Displayed time zone: Lisbon change

14:00 - 15:30
Analytics & AIResearch Track / Journal-first Papers at Sophia de Mello Breyner Andresen
Chair(s): Lingming Zhang University of Illinois at Urbana-Champaign
14:00
15m
Talk
DeepLSH: Deep Locality-Sensitive Hash Learning for Fast and Efficient Near-Duplicate Crash Report Detection
Research Track
Youcef REMIL INSA Lyon, INFOLOGIC, Anes Bendimerad Infologic, Romain Mathonat Infologic, Chedy raissi Ubisoft, Mehdi Kaytoue Infologic
14:15
15m
Talk
DivLog: Log Parsing with Prompt Enhanced In-Context Learning
Research Track
Junjielong Xu The Chinese University of Hong Kong, Shenzhen, Ruichun Yang The Chinese University of Hong Kong, Shenzhen, Yintong Huo The Chinese University of Hong Kong, Chengyu Zhang ETH Zurich, Pinjia He Chinese University of Hong Kong, Shenzhen
14:30
15m
Talk
Where is it? Tracing the Vulnerability-relevant Files from Vulnerability Reports
Research Track
Jiamou Sun CSIRO's Data61, Jieshan Chen CSIRO's Data61, Zhenchang Xing CSIRO's Data61, Qinghua Lu Data61, CSIRO, Xiwei (Sherry) Xu Data61, CSIRO, Liming Zhu CSIRO’s Data61
14:45
15m
Talk
Demystifying and Detecting Misuses of Deep Learning APIs
Research Track
Moshi Wei York University, Nima Shiri Harzevili York University, Yuekai Huang Institute of Software, Chinese Academy of Sciences, Jinqiu Yang Concordia University, Junjie Wang Institute of Software, Chinese Academy of Sciences, Song Wang York University
15:00
7m
Talk
Toward Understanding Deep Learning Framework Bugs
Journal-first Papers
Junjie Chen Tianjin University, Yihua Liang College of Intelligence and Computing, Tianjin University, Qingchao Shen Tianjin University, Jiajun Jiang Tianjin University, Shuochuan Li College of Intelligence and Computing, Tianjin University
15:07
7m
Talk
Fair Enough: Searching for Sufficient Measures of Fairness
Journal-first Papers
Suvodeep Majumder North Carolina State University, Joymallya Chakraborty Amazon.com, Gina Bai North Carolina State University, Kathryn Stolee North Carolina State University, Tim Menzies North Carolina State University
DOI Pre-print
15:14
7m
Talk
Representation Learning for Stack Overflow Posts: How Far are We?
Journal-first Papers
Junda He Singapore Management University, Xin Zhou Singapore Management University, Singapore, Bowen Xu North Carolina State University, Ting Zhang Singapore Management University, Kisub Kim Singapore Management University, Singapore, Zhou Yang Singapore Management University, Ferdian Thung Singapore Management University, Ivana Clairine Irsan Singapore Management University, David Lo Singapore Management University
15:21
7m
Talk
Journal First: Learning from Very Little Data: On the Value of Landscape Analysis for Predicting Software Project Health)
Journal-first Papers
Andre Lustosa North Carolina State University, Tim Menzies North Carolina State University
DOI Pre-print