Back to the Roots Assessing Mining Techniques for Java Vulnerability-Contributing Commits /

Back to the Roots Assessing Mining Techniques for Java Vulnerability-Contributing Commits /

Context : Vulnerability-contributing commits (VCCs) are code changes that introduce vulnerabilities. Mining historical VCCs relies on SZZ-based algorithms that trace from known vulnerability-fixing commits. Objective : Although these techniques have been used, e.g., to train just-in-time vulnerabili...

Teljes leírás

Elmentve itt :
Bibliográfiai részletek
Szerzők: Hinrichs Torge
Iannone Emanuele
Aladics Tamás
Hegedűs Péter
De Lucia Andrea
Palomba Fabio
Scandariato Riccardo
Dokumentumtípus: Cikk
Megjelent: 2025
Sorozat:ACM TRANSACTIONS ON SOFTWARE ENGINEERING AND METHODOLOGY 1
Tárgyszavak:
Számítás- és információtudomány
doi:10.1145/3769105

mtmt:36362772
Online Access:http://publicatio.bibl.u-szeged.hu/38520
Leíró adatok
Tartalmi kivonat:Context : Vulnerability-contributing commits (VCCs) are code changes that introduce vulnerabilities. Mining historical VCCs relies on SZZ-based algorithms that trace from known vulnerability-fixing commits. Objective : Although these techniques have been used, e.g., to train just-in-time vulnerability predictors, they lack systematic benchmarking to evaluate their precision, recall, and error sources. Method : We empirically assessed 12 VCC mining techniques in Java repositories using two benchmark datasets (one from the literature and one newly curated). We also explored combinations of techniques, through intersections, voting schemes, and machine learning, to improve performance. Results : Individual techniques achieved at most 0.60 precision but up to 0.89 recall. The precision rose to 0.75 when the outputs were combined with the logical AND, at the expense of recall. Machine learning ensembles reached 0.80 precision with a better precision–recall balance. Performance varied significantly by dataset. Analyzing “fixing commits” showed that certain fix types (e.g., filtering or sanitization) affect retrieval accuracy, and failure patterns highlighted weaknesses when fixes involve external data handling. Conclusion : Such results help software security researchers select the most suitable mining technique for their studies and understand new ways to design more accurate solutions.
ISSN:1049-331X

Hasonló tételek