Discovering Vulnerabilities and Patches for Open Source Security
Tamara Gunkel, Thomas Hupperich
2022
Abstract
Open source software is used in numerous systems and security vulnerabilities in such software often affect many targets at once. Hence, it is crucial to find security vulnerabilities as soon as possible. A convenient method to check software for vulnerabilities is executing a static code analysis tool before deployment. However, for verifying the reliability of such tools, real-world data including labeled non-vulnerable and vulnerable code is required. This paper introduces an approach to automatically create and enhance a labeled data set of open source projects. The ground truth of vulnerabilities is extracted from up-to-date CVEs. We identify repositories related to known vulnerabilities, select vulnerable versions and take patch commits into account. In this context, we utilize Gradient Boosting based on regression trees as a meta classifier for associating patch commits to CWE categories. With a high precision of this matching, we give insights about the impact of certain vulnerabilities and a general overview of open source code security. Our findings may be used for future studies, such as the impact of certain code design criteria, e.g. clean code, on the prevalence of vulnerabilities.
DownloadPaper Citation
in Harvard Style
Gunkel T. and Hupperich T. (2022). Discovering Vulnerabilities and Patches for Open Source Security. In Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT, ISBN 978-989-758-588-3, pages 641-648. DOI: 10.5220/0011299400003266
in Bibtex Style
@conference{icsoft22,
author={Tamara Gunkel and Thomas Hupperich},
title={Discovering Vulnerabilities and Patches for Open Source Security},
booktitle={Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT,},
year={2022},
pages={641-648},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011299400003266},
isbn={978-989-758-588-3},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT,
TI - Discovering Vulnerabilities and Patches for Open Source Security
SN - 978-989-758-588-3
AU - Gunkel T.
AU - Hupperich T.
PY - 2022
SP - 641
EP - 648
DO - 10.5220/0011299400003266