Litcius/Paper detail

V-SZZ

Lingfeng Bao, Xin Xia, Ahmed E. Hassan, Xiaohu Yang

2022Proceedings of the 44th International Conference on Software Engineering46 citationsDOI

Abstract

Vulnerabilities publicly disclosed in the National Vulnerability Database (NVD) are assigned with CVE (Common Vulnerabilities and Exposures) IDs and associated with specific software versions. Many organizations, including IT companies and government, heavily rely on the disclosed vulnerabilities in NVD to mitigate their security risks. Once a software is claimed as vulnerable by NVD, these organizations would examine the presence of the vulnerable versions of the software and assess the impact on themselves. However, the version information about vulnerable software in NVD is not always reliable. Nguyen et al. find that the version information of many CVE vulnerabilities is spurious and propose an approach based on the original SZZ algorithm (i.e., an approach to identify bug-introducing commits) to assess the software versions affected by CVE vulnerabilities.

Topics & Concepts

Computer scienceSecure codingVulnerability (computing)Computer securitySoftwareSecurity bugSoftware bugSoftware security assuranceInformation securitySecurity serviceProgramming languageSoftware Engineering ResearchSoftware Reliability and Analysis ResearchAdvanced Malware Detection Techniques
V-SZZ | Litcius