On Building a Vulnerability Dataset with Static Information from the Source Code

  • José D'Abruzzo Pereira University of Coimbra
  • João Henggeler Antunes University of Coimbra
  • Marco Vieira University of Coimbra

Resumo


Software vulnerabilities are weaknesses in software systems that can have serious consequences when exploited. Examples of side effects include unauthorized authentication, data breaches, and financial losses. Due to the nature of the software industry, companies are increasingly pressured to deploy software as quickly as possible, leading to a large number of undetected software vulnerabilities. Static code analysis, with the support of Static Analysis Tools (SATs), can generate security alerts that highlight potential vulnerabilities in an application's source code. Software Metrics (SMs) have also been used to predict software vulnerabilities, usually with the support of Machine Learning (ML) classification algorithms. Several datasets are available to support the development of improved software vulnerability detection techniques. However, they suffer from the same issues: they are either outdated or use a single type of information. In this paper, we present a methodology for collecting software vulnerabilities from known vulnerability databases and enhancing them with static information (namely SAT alerts and SMs). The proposed methodology aims to define a mechanism capable of more easily updating the collected data.
Palavras-chave: Industries, Codes, Software metrics, Databases, Static analysis, Machine learning, Data breach
Publicado
22/11/2021
PEREIRA, José D'Abruzzo; ANTUNES, João Henggeler; VIEIRA, Marco. On Building a Vulnerability Dataset with Static Information from the Source Code. In: WORKSHOP ON SAFETY, SECURITY, AND PRIVACY IN COMPLEX ARTIFICIAL INTELLIGENCE BASED SYSTEMS (SAFELIFE), 1. , 2021, Florianópolis. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2021 .