Riom, Timothé, Sawadogo, Arthur, Allix, Kevin, Bissyandé, Tegawendé F., Moha, Naouel and Klein, Jacques.
2021.
« Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits ».
Empirical Software Engineering, vol. 26, nº 3.
Compte des citations dans Scopus : 7.
Preview |
PDF
Moha-N-2021-25872.pdf - Published Version Use licence: Creative Commons CC BY. Download (3MB) | Preview |
Abstract
Detecting vulnerabilities in software is a constant race between development teams and potential attackers. While many static and dynamic approaches have focused on regularly analyzing the software in its entirety, a recent research direction has focused on the analysis of changes that are applied to the code. VCCFinder is a seminal approach in the litera- ture that builds on machine learning to automatically detect whether an incoming commit will introduce some vulnerabilities. Given the influence of VCCFinder in the literature, we undertake an investigation into its performance as a state-of-the-art system. To that end, we propose to attempt a replication study on the VCCFinder supervised learning approach. The insights of our failure to replicate the results reported in the original publication informed the design of a new approach to identify vulnerability-contributing commits based on a semi-supervised learning technique with an alternate feature set. We provide all artefacts and a clear description of this approach as a new reproducible baseline for advancing research on machine learning-based identification of vulnerability-introducing commits.
Item Type: | Peer reviewed article published in a journal |
---|---|
Additional Information: | Identifiant de l'article: 46 |
Professor: | Professor Moha, Naouel |
Affiliation: | Génie logiciel et des technologies de l'information |
Date Deposited: | 18 Nov 2022 17:50 |
Last Modified: | 08 Dec 2022 13:45 |
URI: | https://espace2.etsmtl.ca/id/eprint/25872 |
Actions (login required)
View Item |