Saved in:
Bibliographic Details
Main Authors: Sabetta, Antonino, Bezzi, Michele
Format: Preprint
Published: 2018
Subjects:
Online Access:https://arxiv.org/abs/1807.02458
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912277664366592
author Sabetta, Antonino
Bezzi, Michele
author_facet Sabetta, Antonino
Bezzi, Michele
contents The lack of reliable sources of detailed information on the vulnerabilities of open-source software (OSS) components is a major obstacle to maintaining a secure software supply chain and an effective vulnerability management process. Standard sources of advisories and vulnerability data, such as the National Vulnerability Database (NVD), are known to suffer from poor coverage and inconsistent quality. To reduce our dependency on these sources, we propose an approach that uses machine-learning to analyze source code repositories and to automatically identify commits that are security-relevant (i.e., that are likely to fix a vulnerability). We treat the source code changes introduced by commits as documents written in natural language, classifying them using standard document classification methods. Combining independent classifiers that use information from different facets of commits, our method can yield high precision (80%) while ensuring acceptable recall (43%). In particular, the use of information extracted from the source code changes yields a substantial improvement over the best known approach in state of the art, while requiring a significantly smaller amount of training data and employing a simpler architecture.
format Preprint
id arxiv_https___arxiv_org_abs_1807_02458
institution arXiv
publishDate 2018
record_format arxiv
spellingShingle A Practical Approach to the Automatic Classification of Security-Relevant Commits
Sabetta, Antonino
Bezzi, Michele
Cryptography and Security
The lack of reliable sources of detailed information on the vulnerabilities of open-source software (OSS) components is a major obstacle to maintaining a secure software supply chain and an effective vulnerability management process. Standard sources of advisories and vulnerability data, such as the National Vulnerability Database (NVD), are known to suffer from poor coverage and inconsistent quality. To reduce our dependency on these sources, we propose an approach that uses machine-learning to analyze source code repositories and to automatically identify commits that are security-relevant (i.e., that are likely to fix a vulnerability). We treat the source code changes introduced by commits as documents written in natural language, classifying them using standard document classification methods. Combining independent classifiers that use information from different facets of commits, our method can yield high precision (80%) while ensuring acceptable recall (43%). In particular, the use of information extracted from the source code changes yields a substantial improvement over the best known approach in state of the art, while requiring a significantly smaller amount of training data and employing a simpler architecture.
title A Practical Approach to the Automatic Classification of Security-Relevant Commits
topic Cryptography and Security
url https://arxiv.org/abs/1807.02458