Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits

Riom, Timothée; Sawadogo, Delwende Donald Arthur; Allix, Kevin; Bissyande, Tegawendé François D Assise; Moha, Naouel; Klein, Jacques

doi:10.1007/s10664-021-09944-w

Download

Article (Scientific journals)

Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits

Riom, Timothée; Sawadogo, Delwende Donald Arthur; Allix, Kevin et al.

2021 • In Empirical Software Engineering, 26

Peer Reviewed verified by ORBi

Permalink
https://hdl.handle.net/10993/47035

DOI
10.1007/s10664-021-09944-w

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Riom2021_Article_RevisitingTheVCCFinderApproach.pdf

Publisher postprint (3.53 MB)

Download

The original publication is available at www.springerlink.com

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Vulnerability detection; Machine-Learning; Replication; Software Engineering

Abstract :

[en] Detecting vulnerabilities in software is a constant race between development teams and potential attackers. While many static and dynamic approaches have focused on regularly analyzing the software in its entirety, a recent research direction has focused on the analysis of changes that are applied to the code. VCCFinder is a seminal approach in the literature that builds on machine learning to automatically detect whether an incoming commit will introduce some vulnerabilities. Given the influence of VCCFinder in the literature, we undertake an investigation into its performance as a state-of-the-art system. To that end, we propose to attempt a replication study on the VCCFinder supervised learning approach. The insights of our failure to replicate the results reported in the original publication informed the design of a new approach to identify vulnerability-contributing commits based on a semi-supervised learning technique with an alternate feature set. We provide all artefacts and a clear description of this approach as a new reproducible baseline for advancing research on machine learning-based identification of vulnerability-introducing commits

Disciplines :

Computer science

Author, co-author :

Riom, Timothée ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Sawadogo, Delwende Donald Arthur ; Université du Québec à Montréal

Allix, Kevin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Bissyande, Tegawendé François D Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

Moha, Naouel ; Université du Québec à Montréal

Klein, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits

Publication date :

29 March 2021

Journal title :

Empirical Software Engineering

ISSN :

1573-7616

Publisher :

Springer, United States

Volume :

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Computational Sciences

Additional URL :

https://doi.org/10.1007/s10664-021-09944-w

FnR Project :

FNR11693861 - Characterization Of Malicious Code In Mobile Apps: Towards Accurate And Explainable Malware Detection, 2017 (01/06/2018-31/12/2021) - Jacques Klein

Available on ORBilu :

since 07 May 2021

Statistics

Number of views

172 (25 by Unilu)

Number of downloads

91 (14 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

WoS citations^™