Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits

Riom, Timothée; Sawadogo, Arthur D.; Allix, Kevin; Bissyandé, Tegawendé F.; Moha, Naouel; Klein, Jacques

doi:10.1007/s10664-021-09944-w

Cited by 8 publications

(2 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kamei et al uses source-code metrics and Kim et al uses features extracted from the revision history of software projects [13,14]. Similarly, other works extract features from metrics and/or commit metadata to enhance the procedure of code quality assessment and ultimately prevent vulnerabilities [9,15]. Usually, in these methods, the extracted features are fed into a machine learning model, such as an SVM or a random forest.…”

Section: Related Workmentioning

confidence: 99%

A Comparative Study of Commit Representations for JIT Vulnerability Prediction

Aladics,

Hegedűs,

Ferenc

2024

Computers

View full text Add to dashboard Cite

With the evolution of software systems, their size and complexity are rising rapidly. Identifying vulnerabilities as early as possible is crucial for ensuring high software quality and security. Just-in-time (JIT) vulnerability prediction, which aims to find vulnerabilities at the time of commit, has increasingly become a focus of attention. In our work, we present a comparative study to provide insights into the current state of JIT vulnerability prediction by examining three candidate models: CC2Vec, DeepJIT, and Code Change Tree. These unique approaches aptly represent the various techniques used in the field, allowing us to offer a thorough description of the current limitations and strengths of JIT vulnerability prediction. Our focus was on the predictive power of the models, their usability in terms of false positive (FP) rates, and the granularity of the source code analysis they are capable of handling. For training and evaluation, we used two recently published datasets containing vulnerability-inducing commits: ProjectKB and Defectors. Our results highlight the trade-offs between predictive accuracy and operational flexibility and also provide guidance on the use of ML-based automation for developers, especially considering false positive rates in commit-based vulnerability prediction. These findings can serve as crucial insights for future research and practical applications in software security.

show abstract

Section: Related Workmentioning

confidence: 99%

A Comparative Study of Commit Representations for JIT Vulnerability Prediction

Aladics,

Hegedűs,

Ferenc

2024

Computers

View full text Add to dashboard Cite

show abstract

“…Although some studies attempted to remediate this by making their datasets available, not many of them made the code and methods used to create these datasets available, which has made reproduction and adaptation efforts very difficult. Riom et al [75] found the replication of a seminal work [P16] infeasible due to these challenges.…”

Section: Consideration Of Other Data Dimensionsmentioning

confidence: 99%

Data Preparation for Software Vulnerability Prediction: A Systematic Literature Review

Croft¹,

Xie²,

Babar³

2021

Preprint

View full text Add to dashboard Cite

Software Vulnerability Prediction (SVP) is a data-driven technique for software quality assurance that has recently gained considerable attention in the Software Engineering research community. However, the difficulties of preparing Software Vulnerability (SV) related data remains as the main barrier to industrial adoption. Despite this problem, there have been no systematic efforts to analyse the existing SV data preparation techniques and challenges. Without such insights, we are unable to overcome the challenges and advance this research domain. Hence, we are motivated to conduct a Systematic Literature Review (SLR) of SVP research to synthesize and gain an understanding of the data considerations, challenges and solutions that SVP researchers provide. From our set of primary studies, we identify the main practices for each data preparation step. We then present a taxonomy of 16 key data challenges relating to six themes, which we further map to six categories of solutions. However, solutions are far from complete, and there are several ill-considered issues. We also provide recommendations for future areas of SV data research. Our findings help illuminate the key SV data practices and considerations for SVP researchers and practitioners, as well as inform the validity of the current SVP approaches.

show abstract