More Web Proxy on the site http://driver.im/

research-article

Public Access

Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking

Authors:

Min YangAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 3282 - 3299

https://doi.org/10.1145/3460120.3484593

Published: 13 November 2021 Publication History

Abstract

Security patches play an important role in defending against the security threats brought by the increasing OSS vulnerabilities. However, the collection of security patches still remains a challenging problem. Existing works mainly adopt a matching-based design that uses auxiliary information in CVE/NVD to reduce the search scope of patch commits. However, our preliminary study shows that these approaches can only cover a small part of disclosed OSS vulnerabilities (about 12%-53%) even with manual assistance.

To facilitate the collection of OSS security patches, this paper proposes a ranking-based approach, named PatchScout, which ranks the code commits in the OSS code repository based on their correlations to a given vulnerability. By exploiting the broad correlations between a vulnerability and code commits, patch commits are expected to be put to front positions in the ranked results. Compared with existing works, our approach could help to locate more security patches and meet a balance between the patch coverage and the manual efforts involved. We evaluate PatchScout with 685 OSS CVEs and the results show that it helps to locate 92.70% patches with acceptable manual workload. To further demonstrate the utility of PatchScout, we perform a study on 5 popular OSS projects and 225 CVEs to understand the patch deployment practice across branches, and we obtain many new findings.

References

[1]

2019. What are the most secure programming languages? https://www.whitesourcesoftware.com/most-secure-programming-languages/.

[2]

2020. Open source vulnerability management report. https://www.whitesourcesoftware.com/open-source-vulnerability-management-report/.

[3]

2021. FFmpeg. https://git.ffmpeg.org/ffmpeg.

[4]

2021. GitPython. https://github.com/gitpython-developers/GitPython.

[5]

2021. Jenkins. https://github.com/jenkinsci/jenkins.

[6]

2021. Linux Kernel. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git.

[7]

2021. QEMU. https://git.qemu.org/git/qemu.git.

[8]

2021. Security Focus. https://www.securityfocus.com/.

[9]

2021. Security Tracker. https://securitytracker.com/.

[10]

2021. Vulnerable code database Project. https://github.com/google/vulncode-db.

[11]

2021. Wireshark. https://gitlab.com/wireshark/wireshark.

[12]

Shayan A. Akbar and Avinash C. Kak. 2019. SCOR: Source Code Retrieval with Semantics and Order. In Proceedings of the 16th International Conference on Mining Software Repositories (MSR).

[13]

Gautam Altekar, Ilya Bagrak, Paul Burstein, and Andrew Schultz. [n.d.]. OPUS: Online Patches and Updates for Security. In Proceedings of the 14th USENIX Security Symposium (USENIX Security).

[14]

John Anvik, Lyndon Hiew, and Gail C. Murphy. 2006. Who Should Fix This Bug?. In Proceedings of the 28th International Conference on Software Engineering (ICSE).

[15]

Jeff Arnold and M. Frans Kaashoek. 2009. Ksplice: Automatic Rebootless Kernel Updates. In Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys).

[16]

Marcel Böhme, Van-Thuan Pham, Manh-Dung Nguyen, and Abhik Roychoudhury. [n.d.]. Directed Greybox Fuzzing. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS).

[17]

Léon Bottou. [n.d.]. Large-scale Machine Learning with Stochastic Gradient Descent. In Proceedings of the 19th International Conference on Computational Statistics (COMPSTAT).

[18]

Leo Breiman. [n.d.]. Bagging predictors. Machine learning ([n. d.]).

[19]

Chris Burges, Tal Shaked, Erin Renshaw, Ari Lazier, Matt Deeds, Nicole Hamilton, and Greg Hullender. 2005. Learning to Rank Using Gradient Descent. In Proceedings of the 22nd International Conference on Machine Learning (ICML).

Digital Library

[20]

Christopher JC Burges. 2010. From RankNet to LambdaRank to LambdaMart: An Overview. Learning (2010).

[21]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI).

[22]

Olivier Chapelle and Yi Chang. [n.d.]. Yahoo! Learning to Rank Challenge Overview. In Proceedings of the Learning to Rank Challenge.

[23]

Hongxu Chen, Yinxing Xue, Yuekang Li, Bihuan Chen, Xiaofei Xie, Xiuheng Wu, and Yang Liu. 2018. Hawkeye: Towards a Desired Directed Grey-Box Fuzzer. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[24]

Yue Chen, Yulong Zhang, Zhi Wang, Liangzhao Xia, Chenfu Bao, and Tao Wei. 2017. Adaptive Android Kernel Live Patching. In Proceedings of the 26th USENIX Security Symposium (USENIX Security).

[25]

MITRE Corporation. 2021. Common Vulnerabilities and Exposures. https://cve.mitre.org/.

[26]

Ricardo Cruz, Kelwin Fernandes, Jaime S Cardoso, and Joaquim F Pinto Costa. [n.d.]. Tackling Class Imbalance with Ranking. In Proceedings of the 2016 International Joint Conference on Neural Networks (IJCNN).

[27]

Jiarun Dai, Yuan Zhang, Zheyue Jiang, Yingtian Zhou, Junyan Chen, Xinyu Xing, Xiaohan Zhang, Xin Tan, Min Yang, and Zhemin Yang. [n.d.]. BScout: Direct Whole Patch Presence Test for Java Executables. In Proceedings of the 29th USENIX Security Symposium (USENIX Security).

[28]

Jiarun Dai, Yuan Zhang, Hailong Xu, Haiming Lyu, Zicheng Wu, Xinyu Xing, and Min Yang. 2021. Facilitating Vulnerability Assessment through PoC Migration. In Proceedings of the 28th ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[29]

Franck Dernoncourt, Ji Young Lee, and Peter Szolovits. [n.d.]. NeuroNER: an Easy-to-use Program for Named-entity Recognition based on Neural Networks. In Proceedings of the 2017 Conference on Empirical Methods in Natural Language Processing: System Demonstrations (EMNLP).

[30]

Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the Detection of Inconsistencies in Public Security Vulnerability Reports. In Proceedings of the 28th USENIX Security Symposium (USENIX Security).

[31]

Jean-Rémy Falleri, Floréal Morandat, Xavier Blanc, Matias Martinez, and Martin Monperrus. [n.d.]. Fine-grained and Accurate Source Code Differencing. In Proceedings of the 29th ACM/IEEE international conference on Automated software engineering (ASE).

[32]

Qian Feng, Rundong Zhou, Yanhui Zhao, Jia Ma, Yifei Wang, Na Yu, Xudong Jin, Jian Wang, Ahmed Azab, and Peng Ning. [n.d.]. Learning Binary Representationfor Automatic Patch Detection. In Proceedings of the 16th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[33]

Nir Friedman, Dan Geiger, and Moises Goldszmidt. [n.d.]. Bayesian Network Classifiers. Machine learning ([n. d.]).

[34]

Guo Haixiang, Li Yijing, Jennifer Shang, Gu Mingyun, Huang Yuanyue, and Gong Bing. [n.d.]. Learning from Class-imbalanced Data: Review of Methods and Applications. Expert Systems with Applications ([n. d.]).

[35]

Abram Hindle, Daniel M. German, Michael W. Godfrey, and Richard C. Holt. 2009. Automatic Classification of Large Changes into Maintenance categories. In Proceedings of the 17th International Conference on Program Comprehension (ICPC).

[36]

Tin Kam Ho. [n.d.]. Random Decision Forests. In Proceedings of the 3rd International Conference on Document Analysis and Recognition (ICDAR).

[37]

Xuan Huo, Ming Li, and Zhi-Hua Zhou. 2016. Learning Unified Features from Natural and Programming Languages for Locating Buggy Source Code. In Proceedings of the Twenty-Fifth International Joint Conference on Artificial Intelligence (IJCAI).

Digital Library

[38]

Jiyong Jang, Abeer Agrawal, and David Brumley. [n.d.]. ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P).

[39]

Zheyue Jiang, Yuan Zhang, Jun Xu, Qi Wen, Zhenghe Wang, Xiaohan Zhang, Xinyu Xing, Min Yang, and Zhemin Yang. 2020. PDiff: Semantic-based Patch Presence Testing for Downstream Kernels. In Proceedings of the 27th ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[40]

Guoliang Jin, Linhai Song, Xiaoming Shi, Joel Scherpelz, and Shan Lu. 2012. Understanding and Detecting Real-World Performance Bugs. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[41]

Shubhra Kanti Karmaker Santu, Parikshit Sondhi, and ChengXiang Zhai. 2017. On Application of Learning to Rank for E-Commerce Search. In Proceedings of the 40th International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR).

Digital Library

[42]

Dongsun Kim, Yida Tao, Sunghun Kim, and Andreas Zeller. [n.d.]. Where should we fix this bug? a two-phase recommendation model. IEEE transactions on software Engineering 39, 11 ([n. d.]).

[43]

Seulbae Kim, Seunghoon Woo, Heejo Lee, and Hakjoo Oh. [n.d.]. VUDDY: A Scalable Approach for Vulnerable Code Clone Discovery. In Proceedings of the 38th IEEE Symposium on Security and Privacy (S&P).

[44]

An Ngoc Lam, Anh Tuan Nguyen, Hoan Anh Nguyen, and Tien N. Nguyen. 2017. Bug Localization with Combination of Deep Learning and Information Retrieval. In Proceedings of the 25th International Conference on Program Comprehension (ICPC).

[45]

Frank Li and Vern Paxson. [n.d.]. A Large-scale Empirical Study of Security Patches. In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security (CCS).

[46]

Hongliang Liang, Lu Sun, Meilin Wang, and Yuxing Yang. [n.d.]. Deep learning with customized abstract syntax tree for bug localization. IEEE Access 7 ([n. d.]).

[47]

Zhen Liu, Qiang Wei, and Yan Cao. [n.d.]. Vfdetect: A Vulnerable Code Clone Detection System Based on Vulnerability Fingerprint. In Proceedings of the 3rd Information Technology and Mechatronics Engineering Conference (ITOEC).

[48]

Edward Loper and Steven Bird. [n.d.]. NLTK: the Natural Language Toolkit. In Proceedings of the ACL-02 Workshop on Effective tools and methodologies for teaching natural language processing and computational linguistics-Volume 1.

[49]

Victoria López, Alberto Fernández, Salvador García, Vasile Palade, and Francisco Herrera. [n.d.]. An Insight into Classification with Imbalanced Data: Empirical Results and Current Trends on Using Data Intrinsic Characteristics. Information sciences ([n. d.]).

[50]

Aravind Machiry, Nilo Redini, Eric Camellini, Christopher Kruegel, and Giovanni Vigna. 2020. SPIDER: Enabling Fast Patch Propagation In Related Software Repositories. In Proceedings of the 41th IEEE Symposium on Security and Privacy (S&P).

[51]

Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the Reproducibility of Crowd-reported Security Vulnerabilities. In Proceedings of the 27th USENIX Security Symposium (USENIX Security).

[52]

Collin Mulliner, Jon Oberheide, William Robertson, and Engin Kirda. [n.d.]. Patchdroid: Scalable Third-party Security Patches for Android Devices. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC).

[53]

Stephan Neuhaus, Thomas Zimmermann, Christian Holler, and Andreas Zeller. 2007. Predicting Vulnerable Software Components. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS).

Digital Library

[54]

U.S. National Institute of Standards and Technology. 2016. NVD - CVE-2016--4417. https://nvd.nist.gov/vuln/detail/CVE-2016--4417.

[55]

U.S. National Institute of Standards and Technology. 2021. National Vulnerability Database. https://nvd.nist.gov/home.cfm.

[56]

Adam Paszke, Sam Gross, Francisco Massa, Adam Lerer, James Bradbury, Gregory Chanan, Trevor Killeen, Zeming Lin, Natalia Gimelshein, Luca Antiga, Alban Desmaison, Andreas Kopf, Edward Yang, Zachary DeVito, Martin Raison, Alykhan Tejani, Sasank Chilamkurthy, Benoit Steiner, Lu Fang, Junjie Bai, and Soumith Chintala. [n.d.]. In Proceedings of the 32nd Advances in Neural Information Processing Systems (NIPS).

[57]

Henning Perl, Sergej Dechand, Matthew Smith, Daniel Arp, Fabian Yamaguchi, Konrad Rieck, Sascha Fahl, and Yasemin Acar. 2015. VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assist Code Audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[58]

John C Platt. [n.d.]. Advances in Kernel Methods. Chapter Fast Training of Support Vector Machines using Sequential Minimal Optimization. MIT Press, Cambridge, MA, USA ([n. d.]).

Digital Library

[59]

Sebastian Poeplau and Aurélien Francillon. [n.d.]. Symbolic Execution with SymCC: Don't Interpret, Compile!. In Proceedings of the 29th USENIX Security Symposium (USENIX Security).

[60]

Eric Rescorla. [n.d.]. Security holes... Who cares?. In Proceedings of the 12th USENIX Security Symposium (USENIX Security).

[61]

Ripon K. Saha, Matthew Lease, Sarfraz Khurshid, and Dewayne E. Perry. 2013. Improving Bug Localization Using Structured Information Retrieval. In Proceedings of the 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[62]

Armin Sarabi, Ziyun Zhu, Chaowei Xiao, Mingyan Liu, and Tudor Dumitra?. [n.d.]. Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State. In Proceedings of the 2017 International Conference on Passive and Active Network Measurement (PAM).

[63]

Yang Song, Hongning Wang, and Xiaodong He. 2014. Adapting Deep RankNet for Personalized Search. In Proceedings of the 7th ACM International Conference on Web Search and Data Mining (WSDM).

Digital Library

[64]

Mauricio Soto, Ferdian Thung, Chu-Pan Wong, Claire Le Goues, and David Lo.2016. A Deeper Look into Bug Fixes: Patterns, Replacements, Deletions, and Additions. In Proceedings of the 13th Working Conference on Mining Software Repositories (MSR).

[65]

Yulei Sui and Jingling Xue. [n.d.]. SVF: Interprocedural Static Value-Flow Analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (CC).

[66]

Yuan Tian, Julia Lawall, and David Lo. 2012. Identifying Linux Bug Fixing Patches. In Proceedings of the 34th International Conference on Software Engineering (ICSE).

[67]

Princeton University. 2010. WordNet. https://wordnet.princeton.edu/.

[68]

Shaowei Wang and David Lo. 2014. Version History, Similar Report, and Structure: Putting Them Together for Improved Bug Localization. In Proceedings of the 22nd International Conference on Program Comprehension (ICPC).

Digital Library

[69]

Xinda Wang, Kun Sun, Archer Batcheller, and Sushil Jajodia. [n.d.]. Detecting "0-Day" Vulnerability: An Empirical Study of Secret Security Patch in OSS. In Proceedings of the 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[70]

Xinda Wang, Shu Wang, Pengbin Feng, Kun Sun, and Sushil Jajodia. 2021. PatchDB: A Large-Scale Security Patch Dataset. In 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[71]

Ming Wen, Rongxin Wu, and Shing-Chi Cheung. 2016. Locus: Locating Bugs from Software Changes. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

Digital Library

[72]

Wireshark. 2016. Patch of CVE-2016--4417. https://gitlab.com/wireshark/wireshark/-/commit/c31425f9ae15067e26ccc6183c206c34713cb256.

[73]

Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, Wei Zou, and Wenchang Shi. 2020. MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures. In Proceedings of the 29th USENIX Security Symposium (USENIX Security).

[74]

Yifei Xu, Zhengzi Xu, Bihuan Chen, Fu Song, Yang Liu, and Ting Liu. 2020. Patch Based Vulnerability Matching for Binary Programs. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA).

Digital Library

[75]

Zhengzi Xu, Bihuan Chen, Mahinthan Chandramohan, Yang Liu, and Fu Song. [n.d.]. SPAIN: security patch analysis for binaries towards understanding the pain and pills. In Proceedings of the 39th International Conference on Software Engineering (ICSE).

[76]

Xin Ye, Razvan Bunescu, and Chang Liu. 2014. Learning to Rank Relevant Files for Bug Reports Using Domain Knowledge. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE).

Digital Library

[77]

Zuoning Yin, Ding Yuan, Yuanyuan Zhou, Shankar Pasupathy, and Lakshmi Bairavasundaram. 2011. How Do Fixes Become Bugs?. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (ESEC/FSE).

Digital Library

[78]

Klaus Changsun Youm, June Ahn, Jeongho Kim, and Eunseok Lee. [n.d.]. Bug localization based on code change histories and bug reports. In Asia-Pacific Software Engineering Conference (APSEC).

[79]

Hang Zhang and Zhiyun Qian. 2018. Precise and Accurate Patch Presence Test for Binaries. In Proceedings of the 27th USENIX Security Symposium (USENIX Security). USA.

[80]

Hao Zhong and Zhendong Su. 2015. An Empirical Study on Real Bug Fixes. In Proceedings of the 37th IEEE International Conference on Software Engineering (ICSE).

[81]

Jian Zhou, Hongyu Zhang, and David Lo. 2012. Where Should the Bugs Be Fixed? - More Accurate Information Retrieval-Based Bug Localization Based on Bug Reports. In Proceedings of the 34th International Conference on Software Engineering (ICSE).

Cited By

Woo SChoi ELee H(2025)A large-scale analysis of the effectiveness of publicly reported security patchesComputers & Security10.1016/j.cose.2024.104181148(104181)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104181
Lin RFu YYi WYang JCao JDong ZXie FLi H(2024)Vulnerabilities and Security Patches Detection in OSS: A SurveyACM Computing Surveys10.1145/369478257:1(1-37)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3694782
Wu SWang RHuang KCao YSong WZhou ZHuang YChen BPeng XFilkov VRay BZhou M(2024)Vision: Identifying Affected Library Versions for Open Source Software VulnerabilitiesProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695516(1447-1459)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695516
Show More Cited By

Index Terms

Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Maintaining software

Recommendations

A Large-Scale Empirical Study of Security Patches
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Given how the "patching treadmill" plays a central role for enabling sites to counter emergent security concerns, it behooves the security community to understand the patch development process and characteristics of the resulting fixes. Illumination of ...
Understanding the Practice of Security Patch Management across Multiple Branches in OSS Projects
WWW '22: Proceedings of the ACM Web Conference 2022

Since the users of open source software (OSS) projects may not use the latest version all the time, OSS development teams often support code maintenance for old versions through maintaining multiple stable branches. Typically, the developers create a ...
Tracking patches for open source software vulnerabilities
ESEC/FSE 2022: Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering

Open source software (OSS) vulnerabilities threaten the security of software systems that use OSS. Vulnerability databases provide valuable information (e.g., vulnerable version and patch) to mitigate OSS vulnerabilities. There arises a growing ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
1,643
Total Downloads

Downloads (Last 12 months)679
Downloads (Last 6 weeks)104

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Woo SChoi ELee H(2025)A large-scale analysis of the effectiveness of publicly reported security patchesComputers & Security10.1016/j.cose.2024.104181148(104181)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104181
Lin RFu YYi WYang JCao JDong ZXie FLi H(2024)Vulnerabilities and Security Patches Detection in OSS: A SurveyACM Computing Surveys10.1145/369478257:1(1-37)Online publication date: 9-Sep-2024
https://dl.acm.org/doi/10.1145/3694782
Wu SWang RHuang KCao YSong WZhou ZHuang YChen BPeng XFilkov VRay BZhou M(2024)Vision: Identifying Affected Library Versions for Open Source Software VulnerabilitiesProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695516(1447-1459)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695516
Wu YWen MYu ZGuo XJin HFilkov VRay BZhou M(2024)Effective Vulnerable Function Identification based on CVE Description Empowered by Large Language ModelsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695013(393-405)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695013
Li KZhang JChen SLiu HLiu YChen YChristakis MPradel M(2024)PatchFinder: A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open-Source SoftwareProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680305(590-602)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680305
Zhang LRoychoudhury APaiva AAbreu RStorey M(2024)Vulnerability Root Cause Function Locating For Java VulnerabilitiesProceedings of the 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings10.1145/3639478.3641225(444-446)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3639478.3641225
Zhang JHu XBao LXia XLi S(2024)Dual Prompt-Based Few-Shot Learning for Automated Vulnerability Patch Localization2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00102(940-951)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00102
Sabetta APonta SCabrera Lozoya RBezzi MSacchetti TGreco MBalogh GHegedűs PFerenc RParamitha RPashchenko IPapotti AMilánkovich ÁMassacci F(2024)Known Vulnerabilities of Open Source Projects: Where Are the Fixes?IEEE Security and Privacy10.1109/MSEC.2023.334383622:2(49-59)Online publication date: 5-Jan-2024
https://dl.acm.org/doi/10.1109/MSEC.2023.3343836
Zuo FRhee J(2024)Vulnerability discovery based on source code patch commit mining: a systematic literature reviewInternational Journal of Information Security10.1007/s10207-023-00795-823:2(1513-1526)Online publication date: 6-Jan-2024
https://dl.acm.org/doi/10.1007/s10207-023-00795-8
Zhou XPang JShan ZYue FLiu FXu JWang JLiu WLiu G(2023)TMVDPatch: A Trusted Multi-View Decision System for Security Patch IdentificationApplied Sciences10.3390/app1306393813:6(3938)Online publication date: 20-Mar-2023
https://doi.org/10.3390/app13063938
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents