Identifying Vulnerable Third-Party Libraries from Textual Descriptions of Vulnerabilities and Libraries

by   Tianyu Chen, et al.

To address security vulnerabilities arising from third-party libraries, security researchers maintain databases monitoring and curating vulnerability reports, e.g., the National Vulnerability Database (NVD). Application developers can identify vulnerable libraries by directly querying the databases with the name of each used library. However, the querying results of vulnerable libraries are not reliable due to the incompleteness of vulnerability reports. Thus, current approaches model the task of identifying vulnerable libraries as a named-entity-recognition (NER) task or an extreme multi-label learning (XML) task. These approaches suffer from highly inaccurate results and cannot identify zero-shot libraries (i.e., those not appearing during model training). To address these limitations, in this paper, we propose VulLibMiner, the first to identify vulnerable libraries from textual descriptions of both vulnerabilities and libraries, together with VulLib, a Java vulnerability dataset with their affected libraries. VulLibMiner consists of a TF-IDF matcher to efficiently screen out a small set of candidate libraries and a BERT-FNN model to identify vulnerable libraries from these candidates effectively. We evaluate VulLibMiner using four state-of-the-art/practice approaches of identifying vulnerable libraries on both their dataset named VeraJava and our VulLib dataset. Our evaluation results show that VulLibMiner can effectively identify vulnerable libraries with an average F1 score of 0.561 while the state-of-the-art/practice approaches achieve only 0.377.


page 1

page 4


VulLibGen: Identifying Vulnerable Third-Party Libraries via Generative Pre-Trained Model

To avoid potential risks posed by vulnerabilities in third-party librari...

CHRONOS: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports

Tools that alert developers about library vulnerabilities depend on accu...

Automated Characterization of Software Vulnerabilities

Preventing vulnerability exploits is a critical software maintenance tas...

Dissecting Code Vulnerabilities: Insights from C++ and Java Vulnerability Analysis with ReVeal Model

This study presents an analysis conducted on a real-world dataset of Jav...

Approaches to Identify Vulnerabilities to Misinformation: A Research Agenda

Given the prevalence of online misinformation and our scarce cognitive c...

VULNERLIZER: Cross-analysis Between Vulnerabilities and Software Libraries

The identification of vulnerabilities is a continuous challenge in softw...

Enriching Vulnerability Reports Through Automated and Augmented Description Summarization

Security incidents and data breaches are increasing rapidly, and only a ...

Please sign up or login with your details

Forgot password? Click here to reset