The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we report our findings from using features extracted from four (PMD, Checkstyle, CK, Progex) off-the-shelf static code analyzers relying on pattern matching, software metrics or program analysis in a machine-learning pipeline to identify source code commits that contain vulnerability fixes. We show that successful machine learning models based on base classifiers and ensemble techniques can be trained on the combination of the features.
Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers
Di Nucci D.;Tamburri D. A.
2024-01-01
Abstract
The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we report our findings from using features extracted from four (PMD, Checkstyle, CK, Progex) off-the-shelf static code analyzers relying on pattern matching, software metrics or program analysis in a machine-learning pipeline to identify source code commits that contain vulnerability fixes. We show that successful machine learning models based on base classifiers and ensemble techniques can be trained on the combination of the features.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.