Research On The Code-Security Oriented Commit Prioritization Method In Continuous Integration

Continuous Integration(CI)is one of the important practices in the modern software development.It encourages developers to frequently commit code to achieve rapid delivery of value.With the increasingly severe network environment and prominent security issues in software systems,it has become a common consensus for major software companies to pay more attention to the code security through CI.Limited by the number of server resources in the real CI scenarios,commits need to wait for the allocation of server resources to execute the build task.During the process of CI,unsafe commits may be scattered in any position of the waiting queue,which seriously restricts the security of integrated code and impacts the overall build efficiency of the whole project.In order to advance the repair of security vulnerabilities,this thesis proposes a code-security oriented commit prioritization method and conducts a series of experiments to validate the effectiveness of this method based on the software process simulation technology.Code-security oriented commit prioritization method consists of two components:security vulnerability prediction model and commit prioritization algorithm.For the prediction model,the abstract syntax tree information is extracted from the test code.After the data processing and analysis of this information,BERT is used to learn the abstract syntax tree.A vulnerability prediction model at the granularity of function or method is proposed when the basic patterns of vulnerable code can be identified.This thesis tests the performance of the model using two standard datasets of Juliet test suite and OWASP benchmark.The results from the experiments show that the model had achieved average accuracy at 96% and recall at 93%.For the prioritization algorithm,by combining the two different states of commits and the results of the prediction model,the algorithm prioritizes commits in the waiting queue according to the number of vulnerable methods.In order to validate the effectiveness of the prioritization method,this thesis conducts a series of experiments based on the software process simulation technology.With reference to the integration process provided by Travis CI,this thesis develops it static process model and the corresponding dynamic simulation model.The experiments simulate 648 different scenarios based on the project data and empirical parameters in the related research.The simulation results show that the proposed method can improve the feedback efficiency and reduce the overall build time of the studied project.Under certain conditions,the relative time saving by applying the prioritization method can reach up to 65%,and it has broad opportunities for practical application.Meanwhile,this thesis also explores the impacts of three external factors,namely the commit interval,the commit vulnerability rate and the proportion of vulnerable methods,on the prioritization method,which offers an effective reference for the practical application of this method.