Discovering Vulnerabilities and Patches for Open Source Security

Tamara Gunkel; Thomas Hupperich

doi:10.5220/0011299400003266

Discovering Vulnerabilities and Patches for Open Source Security

Tamara Gunkel, Thomas Hupperich

2022

Abstract

Open source software is used in numerous systems and security vulnerabilities in such software often affect many targets at once. Hence, it is crucial to find security vulnerabilities as soon as possible. A convenient method to check software for vulnerabilities is executing a static code analysis tool before deployment. However, for verifying the reliability of such tools, real-world data including labeled non-vulnerable and vulnerable code is required. This paper introduces an approach to automatically create and enhance a labeled data set of open source projects. The ground truth of vulnerabilities is extracted from up-to-date CVEs. We identify repositories related to known vulnerabilities, select vulnerable versions and take patch commits into account. In this context, we utilize Gradient Boosting based on regression trees as a meta classifier for associating patch commits to CWE categories. With a high precision of this matching, we give insights about the impact of certain vulnerabilities and a general overview of open source code security. Our findings may be used for future studies, such as the impact of certain code design criteria, e.g. clean code, on the prevalence of vulnerabilities.

Download

Paper Citation

in Harvard Style

Gunkel T. and Hupperich T. (2022). Discovering Vulnerabilities and Patches for Open Source Security. In Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT, ISBN 978-989-758-588-3, pages 641-648. DOI: 10.5220/0011299400003266

in Bibtex Style

@conference{icsoft22,
author={Tamara Gunkel and Thomas Hupperich},
title={Discovering Vulnerabilities and Patches for Open Source Security},
booktitle={Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT,},
year={2022},
pages={641-648},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011299400003266},
isbn={978-989-758-588-3},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 17th International Conference on Software Technologies - Volume 1: ICSOFT,
TI - Discovering Vulnerabilities and Patches for Open Source Security
SN - 978-989-758-588-3
AU - Gunkel T.
AU - Hupperich T.
PY - 2022
SP - 641
EP - 648
DO - 10.5220/0011299400003266