Automatically Identifying CVE Affected Versions with Patches and Developer Logs

Yongzhong He, Yiming Wang, Sencun Zhu, Wei Wang, Yunjia Zhang, Qiang Li, Aimin Yu

Research output: Contribution to journalArticlepeer-review

1 Citation (SciVal)


While vulnerability databases are important sources of information for software security, it is known that information in these databases is inconsistent. How to rectify these incorrect data is a challenging issue. In this article, we employ developer logs and patches to automatically identify vulnerable source code versions that each CVE really affects. Our tool organizes all versions of a piece of software into a version tree, and identifies the first vulnerable version, and the last vulnerable versions in the version tree trunk and branches. For evaluation, we took Linux Kernel as the case study and quantified the error rate of the vulnerable versions reported by the NVD. The total number of vulnerable Linux Kernel versions reported by the NVD was 43,727 (as of September 2020), of which the total number of false positives reached 2,497 and the total number of false negatives reached 9,330, accounting for 5.7% and 21.34%, respectively. In addition, we compare our tool with two vulnerability detection tools and show that our tool could achieve high detection accuracy.

Original languageEnglish (US)
Pages (from-to)905-919
Number of pages15
JournalIEEE Transactions on Dependable and Secure Computing
Issue number2
StatePublished - Mar 1 2024

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Electrical and Electronic Engineering

Cite this