Skip to content
/ TROVON Public

Learning from what we know: How to perform vulnerability prediction using noisy historical data, Empirical Software Engineering (EMSE)

License

Apache-2.0 license
11 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

garghub/TROVON

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

62 Commits

CVE XMLs

CVE XMLs

 
 

code

code

 
 

dataset

dataset

 
 

devign

devign

 
 

lstm-rf

lstm-rf

 
 

results

results

 
 

seq2seq

seq2seq

 
 

trovon-bilstm/results

trovon-bilstm/results

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

CITATION.cff

CITATION.cff

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

trovon.bib

trovon.bib

 
 

Repository files navigation

Learning from what we know: How to perform vulnerability prediction using noisy historical data

This repository contains the source code and dataset for the paper Learning from what we know: How to perform vulnerability prediction using noisy historical data, published in Empirical Software Engineering (EMSE).

The paper is available here: Paper

The bib entry for citing the paper is available here: Cite

In addition to the source code of our proposed approach TROVON, we also implement existing approaches due to unavailable authors' implementation. Our implementations of the existing approaches which we compare TROVON with, are also available in this repository. Please refer to the details below.

Dataset

The dataset is composed of the following:

  1. We gathered vulnerabilities, (i.e., the vulnerable and the corresponding fixed components) of the 36 releases of Linux Kernel, 10 releases of Openssl, and 10 releases of Wireshark. For this task, we use VulData7 which is a vulnerability patch gathering tool that used commit IDs provided by National Vulnerability Database (NVD) to gather the aforementioned. These are available in the vulnerabilities directory.

  2. We also gathered codebase for the aforementioned releases. For this task, we use FrameVPM which is a framework built to evaluate and compare vulnerability prediction models. The framework is available here.

Source code

The source code of the vulnerability prediction approaches - TROVON and the existing (that we compared TROVON with) are available as below mentioned:

  1. Source code of our proposed approach TROVON is available in the code directory.

  2. Source code to replicate the following approaches - Software Metrics, Text Mining, Imports, and Function Calls, is available in the FrameVPM repository.

  3. Source code of our implementation of the approach Devign is available in the devign directory.

  4. Source code of our implementation of the approaches LSTM and LSTM-RF is available in the lstm-rf directory.

Tools required/dependencies to be taken care of

  1. Apache Maven
  2. srcML
  3. seq2seq
  4. Tkinter
  5. TensorFlow
  6. PyYAML
  7. Perl

Model training

Please refer to the script train.sh

./train.sh [dirpath] [training-samples-num * epoch-num] [dirpath]/model [config] 1 [training-samples-num] [training-samples-num] 0

For model configuration, please refer length_50-l-1-2.yml. It is configured to train on sequences of length 50, which can be changed based on your requirement.

Model testing

Please refer to the script test.sh

./test.sh [dirpath]/test [dirpath]/model [desired-generated-sequences-file-name]

About

Learning from what we know: How to perform vulnerability prediction using noisy historical data, Empirical Software Engineering (EMSE)

Topics

vulnerability-detection encoder-decoder

Resources

Readme

License

Apache-2.0 license
Activity

Stars

11 stars

Watchers

1 watching

Forks

8 forks
Report repository

Contributors 2

  •  
  •