Exploiting Token and Path-based Representations of Code for Identifying Security-Relevant Commits
This addresses the need for timely detection of security vulnerabilities in software development, as public databases are incomplete and inconsistent, though it appears incremental by building on existing deep learning approaches.
The authors tackled the problem of identifying security-relevant commits in open-source Java projects, proposing hierarchical deep learning models that show promising results compared to state-of-the-art methods like code2vec and logistic regression baselines.
Public vulnerability databases such as CVE and NVD account for only 60% of security vulnerabilities present in open-source projects, and are known to suffer from inconsistent quality. Over the last two years, there has been considerable growth in the number of known vulnerabilities across projects available in various repositories such as NPM and Maven Central. Such an increasing risk calls for a mechanism to infer the presence of security threats in a timely manner. We propose novel hierarchical deep learning models for the identification of security-relevant commits from either the commit diff or the source code for the Java classes. By comparing the performance of our model against code2vec, a state-of-the-art model that learns from path-based representations of code, and a logistic regression baseline, we show that deep learning models show promising results in identifying security-related commits. We also conduct a comparative analysis of how various deep learning models learn across different input representations and the effect of regularization on the generalization of our models.