Detecting Security Fixes in Open-Source Repositories using Static Code Analyzers
This addresses the scarcity of reliable vulnerability information for open-source software, enabling better detection of security fixes, though it is incremental as it builds on existing methods like commit2vec.
The paper tackled the problem of automatically identifying security fixes in open-source repositories by using static code analyzer outputs as features for machine learning models, achieving results comparable to state-of-the-art methods and showing that combining with commit2vec improves performance.
The sources of reliable, code-level information about vulnerabilities that affect open-source software (OSS) are scarce, which hinders a broad adoption of advanced tools that provide code-level detection and assessment of vulnerable OSS dependencies. In this paper, we study the extent to which the output of off-the-shelf static code analyzers can be used as a source of features to represent commits in Machine Learning (ML) applications. In particular, we investigate how such features can be used to construct embeddings and train ML models to automatically identify source code commits that contain vulnerability fixes. We analyze such embeddings for security-relevant and non-security-relevant commits, and we show that, although in isolation they are not different in a statistically significant manner, it is possible to use them to construct a ML pipeline that achieves results comparable with the state of the art. We also found that the combination of our method with commit2vec represents a tangible improvement over the state of the art in the automatic identification of commits that fix vulnerabilities: the ML models we construct and commit2vec are complementary, the former being more generally applicable, albeit not as accurate.