Towards Unveiling Vulnerability Remediation Tactics from OSS Community (APR 2025)

Who

Lyuye Zhang, Wu Jiahui, Chengwei Liu, Kaixuan Li, Sen Chen, Yang Liu

Track

APR 2025 Automated Program Repair

Time Zone

The program is currently displayed in (GMT-04:00) Eastern Time (US & Canada).

Use conference time zone: (GMT-04:00) Eastern Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Tue 29 Apr 2025 16:40 - 17:00 at 210 - APR Session 4 Chair(s): Tegawendé F. Bissyandé, Chao Peng

Abstract

In the rapidly evolving landscape of software development, addressing security vulnerabilities in open-source software has become highly important. However, existing research and tools from both academia and industry mainly relied on limited solutions, such as vulnerable version adjustment and adopting patches, to handle identified vulnerabilities. However, far more flexible and diverse countermeasures have been actively adopted in the open-source communities, which potentially complement the traditional remediation tactics provided by modern vulnerability databases. To this end, we conducted an empirical study to unveil the remediation tactics used in the GitHub community towards CVEs. Then we compared the tactics with those from modern vulnerability databases to underscore a critical gap in modern vulnerability databases, where 54% of CVEs lack fixing suggestions. This gap can be significantly mitigated by leveraging the 93% of actionable solutions provided through GitHub issues.

Lyuye Zhang

Nanyang Technological University

Singapore

Wu Jiahui

Chengwei Liu

Nanyang Technological University

Singapore

Kaixuan Li

East China Normal University

China

Sen Chen

Nankai University

China

Yang Liu

Nanyang Technological University

Singapore

Time Zone

The program is currently displayed in (GMT-04:00) Eastern Time (US & Canada).

Use conference time zone: (GMT-04:00) Eastern Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Tue 29 Apr
Displayed time zone: Eastern Time (US & Canada) change

16:00 - 17:30	APR Session 4APR at 210 Chair(s): Tegawendé F. Bissyandé University of Luxembourg, Chao Peng ByteDance

16:00 20m Talk		Simple Fault Localization using Execution Traces APR Julian Prenner Free University of Bozen-Bolzano, Romain Robbes CNRS, LaBRI, University of Bordeaux
16:20 20m Talk		Studying and Understanding the Effectiveness and Failures of Conversational LLM-Based Repair APR Aolin Chen Wuhan University, Haojun Wu Wuhan University, Qi Xin Wuhan University, Steven P. Reiss Brown University, Jifeng Xuan Wuhan University
16:40 20m Talk		Towards Unveiling Vulnerability Remediation Tactics from OSS Community APR Lyuye Zhang Nanyang Technological University, Wu Jiahui , Chengwei Liu Nanyang Technological University, Kaixuan Li East China Normal University, Sen Chen Nankai University, Yang Liu Nanyang Technological University
17:00 20m Talk		Which Inputs Trigger my Patch? APR Martin Eberlein Humboldt-Universtität zu Berlin, Moeketsi Raselimo Humboldt-Universität zu Berlin, Germany and Stellenbosch University, South Africa, Lars Grunske Humboldt-Universität zu Berlin