VulCurator: A Vulnerability-Fixing Commit Detector
This work addresses the time-consuming task of manual vulnerability management for software developers and security analysts, but it is incremental as it builds on existing machine learning techniques with richer data sources.
The paper tackles the problem of automatically detecting vulnerability-fixing commits in open-source software by proposing VulCurator, a tool that uses deep learning on multiple information sources, and it outperforms state-of-the-art baselines by up to 16.1% in F1-score.
Open-source software (OSS) vulnerability management process is important nowadays, as the number of discovered OSS vulnerabilities is increasing over time. Monitoring vulnerability-fixing commits is a part of the standard process to prevent vulnerability exploitation. Manually detecting vulnerability-fixing commits is, however, time consuming due to the possibly large number of commits to review. Recently, many techniques have been proposed to automatically detect vulnerability-fixing commits using machine learning. These solutions either: (1) did not use deep learning, or (2) use deep learning on only limited sources of information. This paper proposes VulCurator, a tool that leverages deep learning on richer sources of information, including commit messages, code changes and issue reports for vulnerability-fixing commit classifica- tion. Our experimental results show that VulCurator outperforms the state-of-the-art baselines up to 16.1% in terms of F1-score. VulCurator tool is publicly available at https://github.com/ntgiang71096/VFDetector and https://zenodo.org/record/7034132#.Yw3MN-xBzDI, with a demo video at https://youtu.be/uMlFmWSJYOE.