Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers

1 code implementation • 7 May 2021 • Therese Fehrer, Rocío Cabrera Lozoya, Antonino Sabetta, Dario Di Nucci, Damian A. Tamburri

The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies.

Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

2 code implementations • 24 Mar 2021 • Daan Hommersom, Antonino Sabetta, Bonaventura Coppola, Dario Di Nucci, Damian A. Tamburri

When considering the top-10 commits in the ranked results, our implementation could successfully identify at least one fix commit for up to 84. 03% of the vulnerabilities (with a fix commit on the first position for 65. 06% of the vulnerabilities).

Commit2Vec: Learning Distributed Representations of Code Changes

no code implementations • 18 Nov 2019 • Rocìo Cabrera Lozoya, Arnaud Baumann, Antonino Sabetta, Michele Bezzi

In this work, we elaborate upon a state-of-the-art approach to the representation of source code that uses information about its syntactic structure, and we adapt it to represent source changes (i. e., commits).

General Classification Image Classification +1

Exploiting Token and Path-based Representations of Code for Identifying Security-Relevant Commits

no code implementations • 15 Nov 2019 • Achyudh Ram, Ji Xin, Meiyappan Nagappan, Yao-Liang Yu, Rocío Cabrera Lozoya, Antonino Sabetta, Jimmy Lin

Public vulnerability databases such as CVE and NVD account for only 60% of security vulnerabilities present in open-source projects, and are known to suffer from inconsistent quality.

A Manually-Curated Dataset of Fixes to Vulnerabilities of Open-Source Software

3 code implementations • 7 Feb 2019 • Serena E. Ponta, Henrik Plate, Antonino Sabetta, Michele Bezzi, Cédric Dangremont

While operating a vulnerability assessment tool that we developed and that is currently used by hundreds of development units at SAP, we manually collected and curated a dataset of vulnerabilities of open-source software and the commits fixing them.

Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software

3 code implementations • 15 Jun 2018 • Serena E. Ponta, Henrik Plate, Antonino Sabetta

The use of open-source software (OSS) is ever-increasing, and so is the number of open-source vulnerabilities being discovered and publicly disclosed.

Cryptography and Security Software Engineering

Impact assessment for vulnerabilities in open-source software libraries

3 code implementations • 20 Apr 2015 • Henrik Plate, Serena Elisa Ponta, Antonino Sabetta

Software applications integrate more and more open-source software (OSS) to benefit from code reuse.

Cryptography and Security Software Engineering