Commit Message Can Help: Security Patch Detection in Open Source Software via Transformer

As open source software is widely used, the vulnerabilities contained therein are also rapidly propagated to a large number of innocent applications. Even worse, many vulnerabilities in open-source projects are secretly fixed, which leads to affected software being unaware and thus exposed to risks....

Full description

Saved in:
Bibliographic Details
Main Authors: Zuo, Fei, Zhang, Xin, Song, Yuqi, Rhee, Junghwan, Fu, Jicheng
Format: Conference Proceeding
Language:English
Subjects:
Codes
Computer architecture
Natural language processing
Neural networks
open source software
Security
security patch
Software maintenance
transformer
Transformers
vulnerability detection
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:As open source software is widely used, the vulnerabilities contained therein are also rapidly propagated to a large number of innocent applications. Even worse, many vulnerabilities in open-source projects are secretly fixed, which leads to affected software being unaware and thus exposed to risks. For the purpose of protecting deployed software, designing an effective patch classification system becomes more of a need than an option. To this end, some researchers take advantage of the recent advancements in natural language processing to learn both commit messages and code changes. However, they often incur high false positive rates. Not only that, existing works cannot yet answer how much the textual description (such as commit messages) alone can influence the final triage. In this paper, we propose a Transformer based patch classifier, which does not use any code changes as inputs. Surprisingly, the extensive experiment shows the proposed approach can significantly outperform other state-of-the-art work with a high precision of 93.0% and low false positive rate. Therefore, our research further confirms the critical importance of well-crafted commit messages for the later software maintenance. Finally, our case study also identifies 48 silent security patches, which can benefit those affected software.
ISSN:2770-8209
DOI:10.1109/SERA57763.2023.10197730