Litcius/Paper detail

Just-in-time software vulnerability detection: Are we there yet?

Francesco Lomio, Emanuele Iannone, Andrea De Lucia, Fabio Palomba, Valentina Lenarduzzi

2022Journal of Systems and Software65 citationsDOIOpen Access PDF

Abstract

Software vulnerabilities are weaknesses in source code that might be exploited to cause harm or loss. Previous work has proposed a number of automated machine learning approaches to detect them. Most of these techniques work at release-level, meaning that they aim at predicting the files that will potentially be vulnerable in a future release. Yet, researchers have shown that a commit-level identification of source code issues might better fit the developer’s needs, speeding up their resolution. To investigate how currently available machine learning-based vulnerability detection mechanisms can support developers in the detection of vulnerabilities at commit-level. We perform an empirical study where we consider nine projects accounting for 8991 commits and experiment with eight machine learners built using process, product, and textual metrics. We point out three main findings: (1) basic machine learners rarely perform well; (2) the use of ensemble machine learning algorithms based on boosting can substantially improve the performance; and (3) the combination of more metrics does not necessarily improve the classification capabilities. Further research should focus on just-in-time vulnerability detection, especially with respect to the introduction of smart approaches for feature selection and training strategies.

Topics & Concepts

Vulnerability (computing)Computer scienceSoftwareReal-time computingComputer securityOperating systemSoftware Engineering ResearchSoftware Reliability and Analysis ResearchSoftware Testing and Debugging Techniques