Article (Scientific journals)
Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits
RIOM, Timothée; SAWADOGO, Delwende Donald Arthur; ALLIX, Kevin et al.
2021In Empirical Software Engineering, 26
Peer Reviewed verified by ORBi
 

Files


Full Text
Riom2021_Article_RevisitingTheVCCFinderApproach.pdf
Publisher postprint (3.53 MB)
Download

The original publication is available at www.springerlink.com


All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Vulnerability detection; Machine-Learning; Replication; Software Engineering
Abstract :
[en] Detecting vulnerabilities in software is a constant race between development teams and potential attackers. While many static and dynamic approaches have focused on regularly analyzing the software in its entirety, a recent research direction has focused on the analysis of changes that are applied to the code. VCCFinder is a seminal approach in the literature that builds on machine learning to automatically detect whether an incoming commit will introduce some vulnerabilities. Given the influence of VCCFinder in the literature, we undertake an investigation into its performance as a state-of-the-art system. To that end, we propose to attempt a replication study on the VCCFinder supervised learning approach. The insights of our failure to replicate the results reported in the original publication informed the design of a new approach to identify vulnerability-contributing commits based on a semi-supervised learning technique with an alternate feature set. We provide all artefacts and a clear description of this approach as a new reproducible baseline for advancing research on machine learning-based identification of vulnerability-introducing commits
Disciplines :
Computer science
Author, co-author :
RIOM, Timothée ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
SAWADOGO, Delwende Donald Arthur ;  Université du Québec à Montréal
ALLIX, Kevin ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
BISSYANDE, Tegawendé François D Assise  ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
MOHA, Naouel ;  Université du Québec à Montréal
KLEIN, Jacques ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
External co-authors :
yes
Language :
English
Title :
Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits
Publication date :
29 March 2021
Journal title :
Empirical Software Engineering
ISSN :
1573-7616
Publisher :
Springer, United States
Volume :
26
Peer reviewed :
Peer Reviewed verified by ORBi
Focus Area :
Computational Sciences
FnR Project :
FNR11693861 - Characterization Of Malicious Code In Mobile Apps: Towards Accurate And Explainable Malware Detection, 2017 (01/06/2018-31/12/2021) - Jacques Klein
Available on ORBilu :
since 07 May 2021

Statistics


Number of views
175 (25 by Unilu)
Number of downloads
94 (14 by Unilu)

Scopus citations®
 
6
Scopus citations®
without self-citations
6
OpenCitations
 
2
WoS citations
 
5

Bibliography


Similar publications



Contact ORBilu