TCSE logo 
 Sigsoft logo
Sustainability badge
Tue 29 Apr 2025 16:40 - 17:00 at 210 - APR Session 4 Chair(s): Tegawendé F. Bissyandé, Chao Peng

In the rapidly evolving landscape of software development, addressing security vulnerabilities in open-source software has become highly important. However, existing research and tools from both academia and industry mainly relied on limited solutions, such as vulnerable version adjustment and adopting patches, to handle identified vulnerabilities. However, far more flexible and diverse countermeasures have been actively adopted in the open-source communities, which potentially complement the traditional remediation tactics provided by modern vulnerability databases. To this end, we conducted an empirical study to unveil the remediation tactics used in the GitHub community towards CVEs. Then we compared the tactics with those from modern vulnerability databases to underscore a critical gap in modern vulnerability databases, where 54% of CVEs lack fixing suggestions. This gap can be significantly mitigated by leveraging the 93% of actionable solutions provided through GitHub issues.

Tue 29 Apr

Displayed time zone: Eastern Time (US & Canada) change

16:00 - 17:30
APR Session 4APR at 210
Chair(s): Tegawendé F. Bissyandé University of Luxembourg, Chao Peng ByteDance
16:00
20m
Talk
Simple Fault Localization using Execution Traces
APR
Julian Prenner Free University of Bozen-Bolzano, Romain Robbes CNRS, LaBRI, University of Bordeaux
16:20
20m
Talk
Studying and Understanding the Effectiveness and Failures of Conversational LLM-Based Repair
APR
Aolin Chen Wuhan University, Haojun Wu Wuhan University, Qi Xin Wuhan University, Steven P. Reiss Brown University, Jifeng Xuan Wuhan University
16:40
20m
Talk
Towards Unveiling Vulnerability Remediation Tactics from OSS Community
APR
Lyuye Zhang Nanyang Technological University, Wu Jiahui , Chengwei Liu Nanyang Technological University, Kaixuan Li East China Normal University, Sen Chen Nankai University, Yang Liu Nanyang Technological University
17:00
20m
Talk
Which Inputs Trigger my Patch?
APR
Martin Eberlein Humboldt-Universtität zu Berlin, Moeketsi Raselimo Humboldt-Universität zu Berlin, Germany and Stellenbosch University, South Africa, Lars Grunske Humboldt-Universität zu Berlin
:
:
:
: