APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities

Bui, Quang-Cuong; Paramitha, Ranindya; Vu, Duc-Ly; Massacci, Fabio; Scandariato, Riccardo

doi:10.1007/s10664-023-10415-7

Cited by 2 publications

(3 citation statements)

References 81 publications

(82 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Their vulnerability dataset is from CVE [19], Smart Contract Weakness Classification (SWC) [20], and Smart Bugs curated as a ground truth from evaluations. The empirical study [5] has shown the ability of APR tools to generate the trustworthiness of patches for Java security vulnerabilities. The study [3] employs the abstract syntax tree (AST) path technique for representation, enabling the capture of structural information from AST nodes.…”

Section: Related Workmentioning

confidence: 99%

“…The process aims to reduce the manual effort required in debugging and can be particularly useful in large codebases. Our dataset can be utilized in a similar manner as implemented by the existing studies in automated patch generation [31,32], security vulnerability repairing [33,34], and program repair [5,35]. In addition, in the field of research in software engineering, techniques and tools are developed to fix software vulnerabilities automatically.…”

Section: Applications Of Fixmementioning

confidence: 99%

“…Research in APR has been extensively explored for programming language-specific fixes, such as C/C++ [4], Java [5][6][7], PHP [8], and JavaScript [9], and so on. However, there is little research on source code patch identification and prediction due to the lack of aggregated benchmark datasets for multiple programming languages.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An Incremental Lightweight Method for Vulnerability Data Collection for Security Patches

Bhandari,

Gavric

2024

Preprint

View full text Add to dashboard Cite

Automated Program Repair enhances developers’ efficiency by reducing the time dedicated to debugging and fixing source code vulnerabilities. However, the existing datasets utilized to train patch generation models suffer from various limitations, notably the limited bug context, limited size, and reliance on synthetic and unrealistic source code samples. Additionally, existing dataset extraction tools lack an incremental approach, rendering the inclusion of new data a resource-intensive endeavor in terms of both time and computational resources. In this paper, we introduce FixMe , a novel framework designed for generating patches across diverse programming languages. This open-source tool facilitates an incremental approach to gathering vulnerability records from the Common Vulnerabilities and Exposures (CVE) database. Incorporating an incremental methodology accelerates the data acquisition process, encompassing newly identified vulnerabilities and their corresponding patch pairs. Our dataset curation method involves the extraction of security issues, acquiring vulnerability-fixing commits, and extracting source code from relevant projects. The resultant dataset comprises 18,063 CVEs from 2,133 commits, encompassing 19,109 patch sets with 44,059 vulnerability-fix pairs (patch hunks). This dataset spans 884 open-source projects hosted in git-based systems. Additionally , the study explores fostering the potential of APR techniques in reducing debugging costs and improving software quality by generating patches for fixing vulnerabilities automatically.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Applications Of Fixmementioning

confidence: 99%

See 1 more Smart Citation

An Incremental Lightweight Method for Vulnerability Data Collection for Security Patches

Bhandari,

Gavric

2024

Preprint

View full text Add to dashboard Cite

show abstract

On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools

Papotti,

Paramitha,

Massacci

2024

Empir Software Eng

View full text Add to dashboard Cite

Objective We investigated whether (possibly wrong) security patches suggested by Automated Program Repairs (APR) for real world projects are recognized by human reviewers. We also investigated whether knowing that a patch was produced by an allegedly specialized tool does change the decision of human reviewers. Method We perform an experiment with $$n= 72$$ n = 72 Master students in Computer Science. In the first phase, using a balanced design, we propose to human reviewers a combination of patches proposed by APR tools for different vulnerabilities and ask reviewers to adopt or reject the proposed patches. In the second phase, we tell participants that some of the proposed patches were generated by security-specialized tools (even if the tool was actually a ‘normal’ APR tool) and measure whether the human reviewers would change their decision to adopt or reject a patch. Results It is easier to identify wrong patches than correct patches, and correct patches are not confused with partially correct patches. Also patches from APR Security tools are adopted more often than patches suggested by generic APR tools but there is not enough evidence to verify if ‘bogus’ security claims are distinguishable from ‘true security’ claims. Finally, the number of switches to the patches suggested by security tool is significantly higher after the security information is revealed irrespective of correctness. Limitations The experiment was conducted in an academic setting, and focused on a limited sample of popular APR tools and popular vulnerability types.

show abstract

APR4Vul: an empirical study of automatic program repair techniques on real-world Java vulnerabilities

Cited by 2 publications

References 81 publications

An Incremental Lightweight Method for Vulnerability Data Collection for Security Patches

An Incremental Lightweight Method for Vulnerability Data Collection for Security Patches

On the acceptance by code reviewers of candidate security patches suggested by Automated Program Repair tools

Contact Info

Product

Resources

About