Towards Unveiling Vulnerability Remediation Tactics from OSS Community
In the rapidly evolving landscape of software development, addressing security vulnerabilities in open-source software has become highly important. However, existing research and tools from both academia and industry mainly relied on limited solutions, such as vulnerable version adjustment and adopting patches, to handle identified vulnerabilities. However, far more flexible and diverse countermeasures have been actively adopted in the open-source communities, which potentially complement the traditional remediation tactics provided by modern vulnerability databases. To this end, we conducted an empirical study to unveil the remediation tactics used in the GitHub community towards CVEs. Then we compared the tactics with those from modern vulnerability databases to underscore a critical gap in modern vulnerability databases, where 54% of CVEs lack fixing suggestions. This gap can be significantly mitigated by leveraging the 93% of actionable solutions provided through GitHub issues.
Tue 29 AprDisplayed time zone: Eastern Time (US & Canada) change
16:00 - 17:30 | APR Session 4APR at 210 Chair(s): Tegawendé F. Bissyandé University of Luxembourg, Chao Peng ByteDance | ||
16:00 20mTalk | Simple Fault Localization using Execution Traces APR | ||
16:20 20mTalk | Studying and Understanding the Effectiveness and Failures of Conversational LLM-Based Repair APR Aolin Chen Wuhan University, Haojun Wu Wuhan University, Qi Xin Wuhan University, Steven P. Reiss Brown University, Jifeng Xuan Wuhan University | ||
16:40 20mTalk | Towards Unveiling Vulnerability Remediation Tactics from OSS Community APR Lyuye Zhang Nanyang Technological University, Wu Jiahui , Chengwei Liu Nanyang Technological University, Kaixuan Li East China Normal University, Sen Chen Nankai University, Yang Liu Nanyang Technological University | ||
17:00 20mTalk | Which Inputs Trigger my Patch? APR Martin Eberlein Humboldt-Universtität zu Berlin, Moeketsi Raselimo Humboldt-Universität zu Berlin, Germany and Stellenbosch University, South Africa, Lars Grunske Humboldt-Universität zu Berlin |