The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we report our findings from using features extracted from four (PMD, Checkstyle, CK, Progex) off-the-shelf static code analyzers relying on pattern matching, software metrics or program analysis in a machine-learning pipeline to identify source code commits that contain vulnerability fixes. We show that successful machine learning models based on base classifiers and ensemble techniques can be trained on the combination of the features.

Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers

Di Nucci D.;Tamburri D. A.
2024-01-01

Abstract

The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we report our findings from using features extracted from four (PMD, Checkstyle, CK, Progex) off-the-shelf static code analyzers relying on pattern matching, software metrics or program analysis in a machine-learning pipeline to identify source code commits that contain vulnerability fixes. We show that successful machine learning models based on base classifiers and ensemble techniques can be trained on the combination of the features.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11386/4874632
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 0
  • ???jsp.display-item.citation.isi??? ND
social impact