Vulnerability discovery based on source code patch commit mining: a systematic literature review

F Zuo, J Rhee - International Journal of Information Security, 2024 - Springer
In recent years, there has been a remarkable surge in the adoption of open-source software
(OSS). However, with the growing usage of OSS components in both free and proprietary …

Finetuning large language models for vulnerability detection

A Shestov, A Cheshkov, R Levichev… - arXiv preprint arXiv …, 2024 - arxiv.org
This paper presents the results of finetuning large language models (LLMs) for the task of
detecting vulnerabilities in source code. We leverage WizardCoder, a recent improvement of …

PatchFinder: A two-phase approach to security patch tracing for disclosed vulnerabilities in open-source software

K Li, J Zhang, S Chen, H Liu, Y Liu… - Proceedings of the 33rd …, 2024 - dl.acm.org
Open-source software (OSS) vulnerabilities are increasingly prevalent, emphasizing the
importance of security patches. However, in widely used security platforms like NVD, a …

VFCFinder: Pairing Security Advisories and Patches

T Dunlap, E Lin, W Enck, B Reaves - Proceedings of the 19th ACM Asia …, 2024 - dl.acm.org
Security advisories are the primary channel of communication for discovered vulnerabilities
in open-source software, but they often lack crucial information. Specifically, 63% of …

Vision: Identifying Affected Library Versions for Open Source Software Vulnerabilities

S Wu, R Wang, K Huang, Y Cao, W Song… - Proceedings of the 39th …, 2024 - dl.acm.org
Vulnerability reports play a crucial role in mitigating open-source software risks. Typically,
the vulnerability report contains affected versions of a software. However, despite the …

Identifying Affected Libraries and Their Ecosystems for Open Source Software Vulnerabilities

S Wu, W Song, K Huang, B Chen, X Peng - Proceedings of the IEEE …, 2024 - dl.acm.org
Software composition analysis (SCA) tools have been widely adopted to identify vulnerable
libraries used in software applications. Such SCA tools depend on a vulnerability database …

VFCFinder: Seamlessly pairing security advisories and patches

T Dunlap, E Lin, W Enck, B Reaves - arXiv preprint arXiv:2311.01532, 2023 - arxiv.org
Security advisories are the primary channel of communication for discovered vulnerabilities
in open-source software, but they often lack crucial information. Specifically, 63% of …

Dual Prompt-Based Few-Shot Learning for Automated Vulnerability Patch Localization

J Zhang, X Hu, L Bao, X Xia, S Li - 2024 IEEE International …, 2024 - ieeexplore.ieee.org
Vulnerabilities are disclosed with corresponding patches so that users can remediate them
in time. However, there are instances where patches are not released with the disclosed …

Enhancing Security in Third-Party Library Reuse--Comprehensive Detection of 1-day Vulnerability through Code Patch Analysis

S Xu, J Dong, W Cai, J Li, A Shaghaghi, N Sun… - arXiv preprint arXiv …, 2024 - arxiv.org
Nowadays, software development progresses rapidly to incorporate new features. To
facilitate such growth and provide convenience for developers when creating and updating …

Improving Data Curation of Software Vulnerability Patches through Uncertainty Quantification

H Chen, Y Zhao, K Damevski - arXiv preprint arXiv:2411.11659, 2024 - arxiv.org
The changesets (or patches) that fix open source software vulnerabilities form critical
datasets for various machine learning security-enhancing applications, such as automated …