Due to the growing number of cyber attacks against computer systems, we need to pay special attention to the security of our software systems. In order to maximize the effectiveness, excluding the human component from this process would be a huge breakthrough. The first step towards this is to automatically recognize the vulnerable parts in our code. Researchers put a lot of effort into creating machine learning models that could determine if a given piece of code, or to be more precise, a selected function, contains any vulnerabilities or not. We aim at improving the existing models, building on previous results in predicting vulnerabilities at the level of functions in JavaScript code using the well-known static source code metrics. In this work, we propose to include several so-called process metrics (e.g., code churn, number of developers modifying a file, or the age of the changed source code) into the set of features, and examine how they affect the performance of the function-level JavaScript vulnerability prediction models. We can confirm that process metrics significantly improve the prediction power of such models. On average, we observed a 8.4% improvement in terms of F-measure (from 0.764 to 0.848), 3.5% improvement in terms of precision (from 0.953 to 0.988) and a 6.3% improvement in terms of recall (from 0.697 to 0.760).
翻译:由于计算机系统受到的网络攻击越来越多,我们需要特别注意软件系统的安全。为了最大限度地提高效力,将人类部分排除在这一进程之外,这将是一个巨大的突破。第一步是自动识别我们代码中的脆弱部分。研究人员为创建机器学习模型付出了很大努力,这些模型可以确定某个特定代码是否包含任何弱点,或者更精确的、选择的功能是否包含任何弱点。我们的目标是改进现有模型,在以前利用众所周知的静态源代码指标预测JavaScript函数级别弱点的结果的基础上,利用众所周知的静态源代码指标预测脆弱程度。我们在此工作中建议将若干所谓的流程指标(例如代码查恩、修改文件的开发者人数、或修改源代码的年龄)纳入成套特征,并研究这些模型如何影响JavaScript功能级别脆弱性预测模型的性能。我们可以确认这些进程指标大大改进了这些模型的预测能力。我们观察到,平均而言,从0.764到0.658的精确度(从0.864%到0.653的精确度从0.9 %到0.658的改进)。