Tracking Patches for Open Source Software Vulnerabilities
This work tackles the issue of software security risks for developers and users due to unreliable vulnerability patches, but it appears incremental as it focuses on assessing existing methods rather than introducing a new solution.
The paper addresses the problem of poor patch quality in vulnerability databases for open source software, finding that existing manual or heuristic-based patch tracking methods are too costly or limited to apply broadly.
Open source software (OSS) vulnerabilities threaten the security of software systems that use OSS. Vulnerability databases provide valuable information (e.g., vulnerable version and patch) to mitigate OSS vulnerabilities. There arises a growing concern about the information quality of vulnerability databases. However, it is unclear what the quality of patches in existing vulnerability databases is; and existing manual or heuristic-based approaches for patch tracking are either too expensive or too specific to apply to all OSS vulnerabilities.