Abstract
Software vulnerability prediction and management have caught the interest of researchers and practitioners, recently. Various techniques that are usually based on characteristics of the code artefacts are also offered to predict software vulnerabilities. While other studies achieve promising results, the role of developers in inducing vulnerabilities has not been studied yet. We aim to profile the vulnerability inducing and vulnerability fixing behaviors of developers in software projects using Heterogeneous Information Network (HIN) analysis. We also investigate the impact of developer profiles in predicting vulnerability inducing commits, and compare the findings against the approach based on the code metrics. We adopt Random Walk with Restart (RWR) algorithm on HIN and the aggregation of code metrics for extracting all the input features. We utilize traditional machine learning algorithms namely, Naive Bayes (NB), Support Vector Machine (SVM), Random Forest (RF) and eXtreme Gradient Boosting (XGBoost) to build the prediction models.We report our empirical analysis to predict vulnerability inducing commits of four Apache projects. The technique based on code metrics achieves 90% success for the recall measure, whereas the technique based on profiling developer behavior achieves 71% success. When we use the feature sets obtained with the two techniques together, we achieve 89% success.
Original language | English |
---|---|
Title of host publication | PROMISE 2022 - Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering, co-located with ESEC/FSE 2022 |
Editors | Shane McIntosh, Weiyi Shang, Gema Rodriguez Perez |
Publisher | Association for Computing Machinery, Inc |
Pages | 32-41 |
Number of pages | 10 |
ISBN (Electronic) | 9781450398602 |
DOIs | |
Publication status | Published - 2 Nov 2022 |
Event | 18th ACM International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2022, co-located with the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022 - Singapore, Singapore Duration: 17 Nov 2022 → … |
Publication series
Name | PROMISE 2022 - Proceedings of the 18th International Conference on Predictive Models and Data Analytics in Software Engineering, co-located with ESEC/FSE 2022 |
---|
Conference
Conference | 18th ACM International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2022, co-located with the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, ESEC/FSE 2022 |
---|---|
Country/Territory | Singapore |
City | Singapore |
Period | 17/11/22 → … |
Bibliographical note
Publisher Copyright:© 2022 Owner/Author.
Funding
This work was funded by The Scientific and Technological Research Council of Turkey, under 1515 Frontier RD Laboratories Support Program with project no: 5169902.
Funders | Funder number |
---|---|
Türkiye Bilimsel ve Teknolojik Araştırma Kurumu | 5169902 |
Keywords
- profiling developers
- technical debt
- vulnerability
- vulnerability prediction