VulCurator: A Vulnerability-Fixing Commit Detector

September 07, 2022 · Entered Twilight · 🏛 ESEC/SIGSOFT FSE

Repo contents: .gitignore, .idea, README.md, application.py, application_old.py, commit_retriever.py, config.py, cve_parser.py, data_loader.py, data_preprocessor.py, dataset_formater.py, ensemble_classifier.py, entities.py, feature_options.py, github_issue_retriever.py, info_sub_enhanced_dataset_th_100.txt.json, info_tf_vuln_dataset.csv.json, issue_classifier.py, issue_linker.py, issue_linker_infer.py, issue_visualizer.py, main.py, message_classifier.py, message_visualizer.py, model.py, model, neg_candidate.csv, patch_entities.py, prediction_sample_1.json, probs, sample_1.json, sample_2.json, sap_dataset.conf, sap_patch_dataset.csv, sap_vuln_visualize_new.png, selected_neg_sha.csv, tf_dataset.conf, tf_dataset_sap_format.txt, tf_fixes.csv, tf_issue_linking.csv, tf_issue_linking_backup.csv, tf_neg.csv, tf_pos.csv, tf_vuln_dataset.csv, tf_vuln_visualize.png, tf_vuln_visualize_new.png, trivial.py, utils.py, variant_8_finetune_separate.py, variant_ensemble.py, vf_detector, vulfixminer.py, vulfixminer_finetune.py, vuln_visualize.png

Authors Truong Giang Nguyen, Thanh Le-Cong, Hong Jin Kang, Xuan-Bach D. Le, David Lo arXiv ID 2209.03260 Category cs.CR: Cryptography & Security Cross-listed cs.AI, cs.SE Citations 37 Venue ESEC/SIGSOFT FSE Repository https://github.com/ntgiang71096/VFDetector ⭐ 25 Last Checked 1 month ago

Abstract

Open-source software (OSS) vulnerability management process is important nowadays, as the number of discovered OSS vulnerabilities is increasing over time. Monitoring vulnerability-fixing commits is a part of the standard process to prevent vulnerability exploitation. Manually detecting vulnerability-fixing commits is, however, time consuming due to the possibly large number of commits to review. Recently, many techniques have been proposed to automatically detect vulnerability-fixing commits using machine learning. These solutions either: (1) did not use deep learning, or (2) use deep learning on only limited sources of information. This paper proposes VulCurator, a tool that leverages deep learning on richer sources of information, including commit messages, code changes and issue reports for vulnerability-fixing commit classifica- tion. Our experimental results show that VulCurator outperforms the state-of-the-art baselines up to 16.1% in terms of F1-score. VulCurator tool is publicly available at https://github.com/ntgiang71096/VFDetector and https://zenodo.org/record/7034132#.Yw3MN-xBzDI, with a demo video at https://youtu.be/uMlFmWSJYOE.