MSR 2024
Mon 15 - Tue 16 April 2024 Lisbon, Portugal
co-located with ICSE 2024
Tue 16 Apr 2024 14:24 - 14:36 at Grande Auditório - Security and Vision & Reflection Chair(s): Tim Menzies

Collecting relevant and high-quality data is integral to the development of effective Software Vulnerability (SV) prediction models. Most of the current SV datasets rely on SV-fixing commits to extract vulnerable functions and lines. However, none of these datasets have considered latent SVs existing between the introduction and fix of the collected SVs. There is also little known about the usefulness of these latent SVs for SV prediction. To bridge these gaps, we conduct a large-scale study on the latent vulnerable functions in two commonly used SV datasets and their utilization for function-level and line-level SV predictions. Leveraging the state-of-the-art SZZ algorithm, we identify more than 100k latent vulnerable functions in the studied datasets. We find that these latent functions can increase the number of SVs by 4x on average and correct up to 5k mislabeled functions, yet they have a noise level of around 6%. Despite the noise, we show that the state-of-the-art SV prediction model can significantly benefit from such latent SVs. The improvements are up to 24.5% in the performance (F1-Score) of function-level SV predictions and up to 67% in the effectiveness of localizing vulnerable lines. Overall, our study presents the first promising step toward the use of latent SVs to improve the quality of SV datasets and enhance the performance of SV prediction tasks.

Tue 16 Apr

Displayed time zone: Lisbon change

14:00 - 15:30
Security and Vision & ReflectionData and Tool Showcase Track / Technical Papers / Registered Reports / Vision and Reflection at Grande Auditório
Chair(s): Tim Menzies North Carolina State University
14:00
12m
Talk
Quantifying Security Issues in Reusable JavaScript Actions in GitHub Workflows
Technical Papers
Hassan Onsori Delicheh University of Mons, Belgium, Alexandre Decan University of Mons; F.R.S.-FNRS, Tom Mens University of Mons
Pre-print
14:12
12m
Talk
What Can Self-Admitted Technical Debt Tell Us About Security? A Mixed-Methods Study
Technical Papers
Nicolás E. Díaz Ferreyra Hamburg University of Technology, Mojtaba Shahin RMIT University, Mansooreh Zahedi The Univeristy of Melbourne, Sodiq Quadri Hamburg University of Technology, Riccardo Scandariato Hamburg University of Technology
Pre-print
14:24
12m
Talk
Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study
Technical Papers
Triet Le The University of Adelaide, Xiaoning Du Monash University, Australia, Muhammad Ali Babar School of Computer Science, The University of Adelaide
14:36
4m
Talk
MalwareBench: Malware samples are not enough
Data and Tool Showcase Track
Nusrat Zahan North Carolina State University, Philipp Burckhardt Socket, Inc, Mikola Lysenko Socket, Inc, Feross Aboukhadijeh Socket, Inc, Laurie Williams North Carolina State University
14:40
4m
Talk
Hash4Patch: A Lightweight Low False Positive Tool for Finding Vulnerability Patch Commits
Data and Tool Showcase Track
Simone Scalco University of Trento, Ranindya Paramitha University of Trento
14:44
4m
Talk
MegaVul: A C/C++ Vulnerability Dataset with Comprehensive Code Representations
Data and Tool Showcase Track
Chao Ni School of Software Technology, Zhejiang University, Liyu Shen Zhejiang University, Xiaohu Yang Zhejiang University, Yan Zhu Zhejiang University, Shaohua Wang Central University of Finance and Economics
Pre-print
14:48
5m
Talk
Analyzing and Mitigating (with LLMs) the Security Misconfigurations of Helm Charts from Artifact Hub
Registered Reports
Francesco Minna Vrije Universiteit Amsterdam, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam, Katja Tuma Vrije Universiteit Amsterdam
14:53
5m
Talk
Fixing Smart Contract Vulnerabilities: A Comparative Analysis of Literature and Developer's Practices
Registered Reports
Francesco Salzano University of Molise, Simone Scalabrino University of Molise, Rocco Oliveto University of Molise, Remo Pareschi University of Molise
15:00
30m
Talk
Then, Now, and Next: Constants in Changing MSR Research Landscape
Vision and Reflection
Ayushi Rastogi University of Groningen, The Netherlands