Inspecting JavaScript Vulnerability Mitigation Patches with Automated Fix Generation in Mind

Hegedűs, Péter

doi:10.1007/978-3-030-58811-3_69

Cited by 1 publication

(1 citation statement)

References 15 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Analysis of vulnerability fixing patches Similar to how the vulnerable code in CVEfixes can be used to better understand how security vulnerabilities are introduced in code and how these can be automatically predicted, the fixes offered by CVEfixes can be used to analyze and build on vulnerability fixing patches. Several studies have already initiated research analyzing such patches, such as the detection of patterns that can be used in automated program repair [41], and the identification of security-relevant commits, also known as pre-patches, as these may inadvertently leak information about security vulnerabilities before the CVE is published [42,43]. Other research has analyzed vulnerability fixing patches to facilitate the automated transformation of patches into "honeypots" that help trap malicious actors and detect if the corresponding vulnerabilities are exploited in the wild [44].…”

Section: Automated Vulnerability Prediction/identificationmentioning

confidence: 99%

CVEfixes: automated collection of vulnerabilities and their fixes from open-source software

Bhandari

Naseer

Moonen

2021

Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering

View full text Add to dashboard Cite

Data-driven research on the automated discovery and repair of security vulnerabilities in source code requires comprehensive datasets of real-life vulnerable code and their fixes. To assist in such research, we propose a method to automatically collect and curate a comprehensive vulnerability dataset from Common Vulnerabilities and Exposures (CVE) records in the public National Vulnerability Database (NVD). We implement our approach in a fully automated dataset collection tool and share an initial release of the resulting vulnerability dataset named CVEfixes.The CVEfixes collection tool automatically fetches all available CVE records from the NVD, gathers the vulnerable code and corresponding fixes from associated open-source repositories, and organizes the collected information in a relational database. Moreover, the dataset is enriched with meta-data such as programming language, and detailed code and security metrics at five levels of abstraction. The collection can easily be repeated to keep up-todate with newly discovered or patched vulnerabilities. The initial release of CVEfixes spans all published CVEs up to 9 June 2021, covering 5365 CVE records for 1754 open-source projects that were addressed in a total of 5495 vulnerability fixing commits.CVEfixes supports various types of data-driven software security research, such as vulnerability prediction, vulnerability classification, vulnerability severity prediction, analysis of vulnerabilityrelated code changes, and automated vulnerability repair. CCS CONCEPTS• Security and privacy → Software and application security; Vulnerability management; • Software and its engineering → Software defect analysis; Software libraries and repositories.

show abstract