TY - JOUR
T1 - Automatically Identifying CVE Affected Versions with Patches and Developer Logs
AU - He, Yongzhong
AU - Wang, Yiming
AU - Zhu, Sencun
AU - Wang, Wei
AU - Zhang, Yunjia
AU - Li, Qiang
AU - Yu, Aimin
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2024/3/1
Y1 - 2024/3/1
N2 - While vulnerability databases are important sources of information for software security, it is known that information in these databases is inconsistent. How to rectify these incorrect data is a challenging issue. In this article, we employ developer logs and patches to automatically identify vulnerable source code versions that each CVE really affects. Our tool organizes all versions of a piece of software into a version tree, and identifies the first vulnerable version, and the last vulnerable versions in the version tree trunk and branches. For evaluation, we took Linux Kernel as the case study and quantified the error rate of the vulnerable versions reported by the NVD. The total number of vulnerable Linux Kernel versions reported by the NVD was 43,727 (as of September 2020), of which the total number of false positives reached 2,497 and the total number of false negatives reached 9,330, accounting for 5.7% and 21.34%, respectively. In addition, we compare our tool with two vulnerability detection tools and show that our tool could achieve high detection accuracy.
AB - While vulnerability databases are important sources of information for software security, it is known that information in these databases is inconsistent. How to rectify these incorrect data is a challenging issue. In this article, we employ developer logs and patches to automatically identify vulnerable source code versions that each CVE really affects. Our tool organizes all versions of a piece of software into a version tree, and identifies the first vulnerable version, and the last vulnerable versions in the version tree trunk and branches. For evaluation, we took Linux Kernel as the case study and quantified the error rate of the vulnerable versions reported by the NVD. The total number of vulnerable Linux Kernel versions reported by the NVD was 43,727 (as of September 2020), of which the total number of false positives reached 2,497 and the total number of false negatives reached 9,330, accounting for 5.7% and 21.34%, respectively. In addition, we compare our tool with two vulnerability detection tools and show that our tool could achieve high detection accuracy.
UR - http://www.scopus.com/inward/record.url?scp=85153387068&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85153387068&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2023.3264567
DO - 10.1109/TDSC.2023.3264567
M3 - Article
AN - SCOPUS:85153387068
SN - 1545-5971
VL - 21
SP - 905
EP - 919
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 2
ER -