Open-source software (OSS) vulnerability management process is important nowadays, as the number of discovered OSS vulnerabilities is increasing over time. Monitoring vulnerability-fixing commits is a part of the standard process to prevent vulnerability exploitation. Manually detecting vulnerability-fixing commits is, however, time-consuming due to the possibly large number of commits to review. Recently, many techniques have been proposed to automatically detect vulnerability-fixing commits using machine learning. These solutions either: (1) did not use deep learning, or (2) use deep learning on only limited sources of information. This paper proposes VulCurator, a tool that leverages deep learning on richer sources of information, including commit messages, code changes, and issue reports for vulnerability-fixing commit classification. Our experimental results show that VulCurator outperforms the state-of-the-art baselines up to 16.1% in terms of F1-score.
VulCurator tool is publicly available on GitHub https://github.com/ntgiang71096/VFDetector, with a demo video at https://youtu.be/uMlFmWSJYOE.
Wed 16 NovDisplayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change
14:00 - 15:30 | SecurityDemonstrations / Research Papers at SRC LT 50 Chair(s): Andreea Costea School of Computing, National University Of Singapore | ||
14:00 15mTalk | Automated Unearthing of Dangerous Issue Reports Research Papers Shengyi Pan Zhejiang University, Jiayuan Zhou Huawei, Filipe Cogo Huawei, Xin Xia Huawei, Lingfeng Bao Zhejiang University, Xing Hu Zhejiang University, Shanping Li Zhejiang University, Ahmed E. Hassan Queen’s University DOI | ||
14:15 15mTalk | On the Vulnerability Proneness of Multilingual Code Research Papers Wen Li Washington State University, Li Li Monash University, Haipeng Cai Washington State University DOI Pre-print | ||
14:30 7mTalk | VulCurator: A Vulnerability-Fixing Commit Detector Demonstrations Truong Giang Nguyen Singapore Management University, Le-Cong Thanh Singapore Management University, Hong Jin Kang Singapore Management University, Xuan-Bach D. Le University of Melbourne, David Lo Singapore Management University | ||
14:38 7mTalk | KVS: A Tool for Knowledge-Driven Vulnerability Searching Demonstrations Xingqi Cheng Yangzhou University, Xiaobing Sun Yangzhou University, Lili Bo Yangzhou University, Ying Wei Yangzhou University | ||
14:45 7mTalk | MANDO-GURU: Vulnerability Detection for Smart Contract Source Code By Heterogeneous Graph Embeddings Demonstrations Hoang H. Nguyen L3S Research Center, Leibniz Universität Hannover, Hannover, Germany, Nhat-Minh Nguyen Singapore Management University, Singapore, Hong-Phuc Doan Hanoi University of Science and Technology, Hanoi, Vietnam, Zahra Ahmadi L3S Research Center, Leibniz Universität Hannover, Hannover, Germany, Thanh-Nam Doan Independent Researcher, Atlanta, Georgia, USA, Lingxiao Jiang Singapore Management University DOI Pre-print Media Attached | ||
14:53 7mTalk | FastKLEE: Faster Symbolic Execution via Reducing Redundant Bound Checking of Type-Safe Pointers Demonstrations Haoxin Tu Singapore Management University, Singapore, Lingxiao Jiang Singapore Management University, Xuhua Ding Singapore Management University, He Jiang Dalian University of Technology | ||