| The growing number of open source software vulnerabilities poses a significant risk to software security and patches play a very important role in addressing this risk.Unfortunately,although most patches for vulnerabilities are developed before they are disclosed,only some are made public with the vulnerability and,due to the complexity of patch backporting,only some software branches deploy the patch simultaneously,leaving software users exposed to the growing threat of vulnerabilities.In recent years,researchers have explored vulnerability patch management in order to locate unpublished vulnerability patches and mark software branches that have not deployed patches,but these methods require a lot of manual work to support,making it difficult to achieve a good balance between method effectiveness and cost.In response to the above problems,this thesis explores the vulnerability patch management.The specific works are as follows:(1)A ranking-based patch localization technique for open source software vulnerabilities.This technique addresses the issues of partial absence of vulnerability data and poor localization accuracy of prior art,supplements the vulnerability data by extending the vulnerability data source,and extracts more targeted correlation features based on factors that better reflect the association between vulnerabilities and patches,such as the similarity between vulnerabilities and patch texts,and the causes of vulnerabilities and their resulting outcomes.Further,this technique uses a learning-to-rank model to rank all commits of the project where the vulnerability is located based on its correlation features and validate the ranking results to locate patches for vulnerabilities,which further ensuring the accuracy of the technique.Comparative experimental results on a publicly available dataset show that this technique outperforms the baseline techniques in both Top1 recall and manual review time metrics.(2)A multi-branch patch correlation analysis technique for open source software vulnerabilities based on code graph representation.This technique addresses the problem that existing techniques cannot automatically correlate patches of different branches of vulnerabilities,extracts code graphs reflecting their syntactic and semantic change features by graph characterization of patches of the master branch and commits of the other affected branches,and uses H2MN graph matching networks and XGBoost model to predict whether these code graphs match and whether the patches and commits match respectively.This clarifies whether there are patches in all commits of the affected branch,and automates the correlation between patches of the main branch of the vulnerability and patches of different branches affected by the vulnerability.The experimental results show that the accuracy and precision of this technique can reach 98.94%and 96.14%,respectively.(3)An open source software vulnerability patch management system.This system provides users with vulnerability patch management services,assists developers in locating vulnerability patches,and helps maintainers of open source software projects to find branches affected by vulnerabilities but not yet fixed more quickly.. |
PDF Full Text Request