Where is it? Tracing the Vulnerability-relevant Files from Vulnerability Reports (ICSE 2024 - Research Track)

Who

Jiamou Sun, Jieshan Chen, Zhenchang Xing, Qinghua Lu, Xiwei (Sherry) Xu, Liming Zhu

Track

ICSE 2024 Research Track

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 17 Apr 2024 14:30 - 14:45 at Sophia de Mello Breyner Andresen - Analytics & AI Chair(s): Lingming Zhang

Abstract

With the widely usage of open-source software, supply-chain-based vulnerability attacks, including SolarWind and Log4Shell, have posed significant risks to software security. Currently, people rely on vulnerability advisory databases or commercial software bill of materials (SBOM) to defend against potential risks. Unfortunately, these datasets do not provide finer-grained file-level vulnerability information, compromising their effectiveness. Previous works have not adequately addressed this issue, and mainstream vulnerability detection methods have their drawbacks that hinder resolving this gap. Driven by the real needs, we propose a framework that can trace the vulnerability-relevant file for each disclosed vulnerability. Our approach uses NVD descriptions with metadata as the inputs, and employs a series of strategies with a LLM model, search engine, heuristic-based text matching method and a deep learning classifier to recommend the most likely vulnerability-relevant file, effectively enhancing the completeness of existing NVD data. Our experiments confirm that the efficiency of the proposed framework, with CodeBERT achieving 0.92 AUC and 0.85 MAP, and our user study proves our approach can help with vulnerability-relevant file detection effectively. To the best of our knowledge, our work is the first one focusing on tracing vulnerability-relevant files, laying the groundwork of building finer-grained vulnerability-aware software bill of materials.

Jiamou Sun

CSIRO's Data61

Jieshan Chen

CSIRO's Data61

Australia

Zhenchang Xing

CSIRO's Data61

Qinghua Lu

Data61, CSIRO

Australia

Xiwei (Sherry) Xu

Data61, CSIRO

Australia

Liming Zhu

CSIRO’s Data61

Australia

Time Zone

The program is currently displayed in (GMT+01:00) Lisbon.

Use conference time zone: (GMT+01:00) LisbonSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Wed 17 Apr
Displayed time zone: Lisbon change

14:00 - 15:30	Analytics & AIResearch Track / Journal-first Papers at Sophia de Mello Breyner Andresen Chair(s): Lingming Zhang University of Illinois at Urbana-Champaign

14:00 15m Talk		DeepLSH: Deep Locality-Sensitive Hash Learning for Fast and Efficient Near-Duplicate Crash Report Detection Research Track Youcef REMIL INSA Lyon, INFOLOGIC, Anes Bendimerad Infologic, Romain Mathonat Infologic, Chedy raissi Ubisoft, Mehdi Kaytoue Infologic
14:15 15m Talk		DivLog: Log Parsing with Prompt Enhanced In-Context Learning Research Track Junjielong Xu The Chinese University of Hong Kong, Shenzhen, Ruichun Yang The Chinese University of Hong Kong, Shenzhen, Yintong Huo The Chinese University of Hong Kong, Chengyu Zhang ETH Zurich, Pinjia He Chinese University of Hong Kong, Shenzhen
14:30 15m Talk		Where is it? Tracing the Vulnerability-relevant Files from Vulnerability Reports Research Track Jiamou Sun CSIRO's Data61, Jieshan Chen CSIRO's Data61, Zhenchang Xing CSIRO's Data61, Qinghua Lu Data61, CSIRO, Xiwei (Sherry) Xu Data61, CSIRO, Liming Zhu CSIRO’s Data61
14:45 15m Talk		Demystifying and Detecting Misuses of Deep Learning APIs Research Track Moshi Wei York University, Nima Shiri Harzevili York University, Yuekai Huang Institute of Software, Chinese Academy of Sciences, Jinqiu Yang Concordia University, Junjie Wang Institute of Software, Chinese Academy of Sciences, Song Wang York University
15:00 7m Talk		Toward Understanding Deep Learning Framework Bugs Journal-first Papers Junjie Chen Tianjin University, Yihua Liang College of Intelligence and Computing, Tianjin University, Qingchao Shen Tianjin University, Jiajun Jiang Tianjin University, Shuochuan Li College of Intelligence and Computing, Tianjin University
15:07 7m Talk		Fair Enough: Searching for Sufficient Measures of Fairness Journal-first Papers Suvodeep Majumder North Carolina State University, Joymallya Chakraborty Amazon.com, Gina Bai North Carolina State University, Kathryn Stolee North Carolina State University, Tim Menzies North Carolina State University DOI Pre-print
15:14 7m Talk		Representation Learning for Stack Overflow Posts: How Far are We? Journal-first Papers Junda He Singapore Management University, Xin Zhou Singapore Management University, Singapore, Bowen Xu North Carolina State University, Ting Zhang Singapore Management University, Kisub Kim Singapore Management University, Singapore, Zhou Yang Singapore Management University, Ferdian Thung Singapore Management University, Ivana Clairine Irsan Singapore Management University, David Lo Singapore Management University
15:21 7m Talk		Journal First: Learning from Very Little Data: On the Value of Landscape Analysis for Predicting Software Project Health) Journal-first Papers Andre Lustosa North Carolina State University, Tim Menzies North Carolina State University DOI Pre-print