{"id":"https://openalex.org/W3137480023","doi":"https://doi.org/10.1145/3649590","title":"Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories","display_name":"Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories","publication_year":2024,"publication_date":"2024-03-04","ids":{"openalex":"https://openalex.org/W3137480023","doi":"https://doi.org/10.1145/3649590","mag":"3137480023"},"language":"en","primary_location":{"id":"doi:10.1145/3649590","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3649590","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3649590","source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3649590","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5017943734","display_name":"Daan Hommersom","orcid":"https://orcid.org/0009-0008-7202-7495"},"institutions":[{"id":"https://openalex.org/I83019370","display_name":"Eindhoven University of Technology","ror":"https://ror.org/02c2kyt77","country_code":"NL","type":"education","lineage":["https://openalex.org/I83019370"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Daan Hommersom","raw_affiliation_strings":["Eindhoven University of Technology - JADS, \u2019s-Hertogenbosch, The Netherlands","Eindhoven University of Technology - JADS, 's-Hertogenbosch, The Netherlands"],"raw_orcid":"https://orcid.org/0009-0008-7202-7495","affiliations":[{"raw_affiliation_string":"Eindhoven University of Technology - JADS, \u2019s-Hertogenbosch, The Netherlands","institution_ids":["https://openalex.org/I83019370"]},{"raw_affiliation_string":"Eindhoven University of Technology - JADS, 's-Hertogenbosch, The Netherlands","institution_ids":["https://openalex.org/I83019370"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5040107971","display_name":"Antonino Sabetta","orcid":"https://orcid.org/0000-0003-3506-8374"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Antonino Sabetta","raw_affiliation_strings":["SAP Labs, Mougins, France","SAP Security Research, Nice, France"],"raw_orcid":"https://orcid.org/0000-0003-3506-8374","affiliations":[{"raw_affiliation_string":"SAP Labs, Mougins, France","institution_ids":[]},{"raw_affiliation_string":"SAP Security Research, Nice, France","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5028595273","display_name":"Bonaventura Coppola","orcid":"https://orcid.org/0009-0003-2330-6993"},"institutions":[{"id":"https://openalex.org/I193223587","display_name":"University of Trento","ror":"https://ror.org/05trd4x28","country_code":"IT","type":"education","lineage":["https://openalex.org/I193223587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Bonaventura Coppola","raw_affiliation_strings":["University of Trento, Trento, Italy"],"raw_orcid":"https://orcid.org/0009-0003-2330-6993","affiliations":[{"raw_affiliation_string":"University of Trento, Trento, Italy","institution_ids":["https://openalex.org/I193223587"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072127726","display_name":"Dario Di Nucci","orcid":"https://orcid.org/0000-0002-3861-1902"},"institutions":[{"id":"https://openalex.org/I131729948","display_name":"University of Salerno","ror":"https://ror.org/0192m2k53","country_code":"IT","type":"education","lineage":["https://openalex.org/I131729948"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Dario Di Nucci","raw_affiliation_strings":["University of Salerno, Fisciano, Italy"],"raw_orcid":"https://orcid.org/0000-0002-3861-1902","affiliations":[{"raw_affiliation_string":"University of Salerno, Fisciano, Italy","institution_ids":["https://openalex.org/I131729948"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5000349425","display_name":"Damian A. Tamburri","orcid":"https://orcid.org/0000-0003-1230-8961"},"institutions":[{"id":"https://openalex.org/I83019370","display_name":"Eindhoven University of Technology","ror":"https://ror.org/02c2kyt77","country_code":"NL","type":"education","lineage":["https://openalex.org/I83019370"]}],"countries":["NL"],"is_corresponding":false,"raw_author_name":"Damian A. Tamburri","raw_affiliation_strings":["Eindhoven University of Technology - JADS, \u2019s-Hertogenbosch, The Netherlands","Eindhoven University of Technology - JADS, 's-Hertogenbosch, The Netherlands"],"raw_orcid":"https://orcid.org/0000-0003-1230-8961","affiliations":[{"raw_affiliation_string":"Eindhoven University of Technology - JADS, \u2019s-Hertogenbosch, The Netherlands","institution_ids":["https://openalex.org/I83019370"]},{"raw_affiliation_string":"Eindhoven University of Technology - JADS, 's-Hertogenbosch, The Netherlands","institution_ids":["https://openalex.org/I83019370"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":4.4802,"has_fulltext":true,"cited_by_count":6,"citation_normalized_percentile":{"value":0.94621773,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":"33","issue":"5","first_page":"1","last_page":"28"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9966999888420105,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7711318135261536},{"id":"https://openalex.org/keywords/open-source","display_name":"Open source","score":0.5233577489852905},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.48324283957481384},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.3910854458808899},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.33653929829597473},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.28641438484191895},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.08416754007339478}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7711318135261536},{"id":"https://openalex.org/C3018397939","wikidata":"https://www.wikidata.org/wiki/Q3644502","display_name":"Open source","level":3,"score":0.5233577489852905},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.48324283957481384},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3910854458808899},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.33653929829597473},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.28641438484191895},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.08416754007339478}],"mesh":[],"locations_count":4,"locations":[{"id":"doi:10.1145/3649590","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3649590","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3649590","source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},{"id":"pmh:oai:arXiv.org:2103.13375","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2103.13375","pdf_url":"https://arxiv.org/pdf/2103.13375","source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"pmh:oai:pure.tue.nl:openaire/bb689eb3-1e40-4525-980d-eeeecaa15843","is_oa":true,"landing_page_url":"https://research.tue.nl/en/publications/bb689eb3-1e40-4525-980d-eeeecaa15843","pdf_url":"https://pure.tue.nl/ws/files/349727102/3649590.pdf","source":{"id":"https://openalex.org/S4406922641","display_name":"TU/e Research Portal","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Hommersom, D, Sabetta, A, Coppola, B, Di Nucci, D & Tamburri, D A 2024, 'Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories', ACM Transactions on Software Engineering and Methodology, vol. 33, no. 5, 134. https://doi.org/10.1145/3649590","raw_type":"info:eu-repo/semantics/publishedVersion"},{"id":"pmh:oai:pure.tue.nl:publications/bb689eb3-1e40-4525-980d-eeeecaa15843","is_oa":true,"landing_page_url":"https://research.tue.nl/files/349727102/3649590.pdf","pdf_url":null,"source":{"id":"https://openalex.org/S4406922641","display_name":"TU/e Research Portal","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Hommersom, D, Sabetta, A, Coppola, B, Di Nucci, D & Tamburri, D A 2024, 'Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories', ACM Transactions on Software Engineering and Methodology, vol. 33, no. 5, 134. https://doi.org/10.1145/3649590","raw_type":"info:eu-repo/semantics/publishedVersion"}],"best_oa_location":{"id":"doi:10.1145/3649590","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3649590","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3649590","source":{"id":"https://openalex.org/S142627899","display_name":"ACM Transactions on Software Engineering and Methodology","issn_l":"1049-331X","issn":["1049-331X","1557-7392"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319798","host_organization_name":"Association for Computing Machinery","host_organization_lineage":["https://openalex.org/P4310319798"],"host_organization_lineage_names":["Association for Computing Machinery"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"ACM Transactions on Software Engineering and Methodology","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.5899999737739563,"id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G5066738871","display_name":"Assurance and certification in secure Multi-party Open Software and Services.","funder_award_id":"952647","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G510361925","display_name":"Cybersecurity for AI-Augmented Systems","funder_award_id":"101120393","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W3137480023.pdf","grobid_xml":"https://content.openalex.org/works/W3137480023.grobid-xml"},"referenced_works_count":22,"referenced_works":["https://openalex.org/W1964593071","https://openalex.org/W2069268700","https://openalex.org/W2101234009","https://openalex.org/W2150018006","https://openalex.org/W2740329368","https://openalex.org/W2766411424","https://openalex.org/W2767521898","https://openalex.org/W2962698568","https://openalex.org/W2963926786","https://openalex.org/W2964080672","https://openalex.org/W2991305803","https://openalex.org/W2993034258","https://openalex.org/W2997591727","https://openalex.org/W3001965384","https://openalex.org/W3040158574","https://openalex.org/W3041550943","https://openalex.org/W3046757114","https://openalex.org/W3048065912","https://openalex.org/W3138597995","https://openalex.org/W4240006276","https://openalex.org/W4289976167","https://openalex.org/W4390604801"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2748952813","https://openalex.org/W2390279801","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2376932109","https://openalex.org/W2001405890","https://openalex.org/W4396696052","https://openalex.org/W2382290278","https://openalex.org/W4395014643"],"abstract_inverted_index":{"The":[0,174],"lack":[1],"of":[2,5,49,93,104,126,141,160,170,249,262],"comprehensive":[3],"sources":[4],"accurate":[6],"vulnerability":[7,64,120,224],"data":[8,208],"represents":[9],"a":[10,63,91,134,167,253],"critical":[11],"obstacle":[12],"to":[13,118,147,181,187,192,221,247,278],"studying":[14],"and":[15,36,201],"understanding":[16],"software":[17,281],"vulnerabilities":[18,251],"(and":[19],"their":[20],"corrections).":[21],"In":[22],"this":[23,44],"article,":[24],"we":[25,53,202],"present":[26],"an":[27,55,69,206],"approach":[28,200],"that":[29,65,112,144,214,268,287],"combines":[30],"heuristics":[31],"stemming":[32],"from":[33,68,99],"practical":[34],"experience":[35],"machine-learning":[37],"(ML)\u2014specifically,":[38],"natural":[39,86],"language":[40],"processing":[41],"(NLP)\u2014to":[42],"address":[43],"problem.":[45],"Our":[46,265],"method":[47,132,165,270],"consists":[48],"three":[50],"phases.":[51],"First,":[52],"construct":[54],"advisory":[56,153],"record":[57],"object":[58],"containing":[59],"key":[60],"information":[61],"about":[62],"is":[66,97,184],"extracted":[67],"advisory,":[70],"such":[71],"as":[72,116],"those":[73],"found":[74],"in":[75,85,231],"the":[76,100,105,119,127,139,142,152,158,178,188,195,228,232,250,257,263,274,285],"National":[77],"Vulnerability":[78],"Database":[79],"(NVD).":[80],"These":[81],"advisories":[82],"are":[83,145],"expressed":[84],"language.":[87],"Second,":[88],"using":[89],"heuristics,":[90],"subset":[92],"candidate":[94,129,171],"fix":[95,218,243,254,288],"commits":[96,111,219,230,286],"obtained":[98],"source":[101],"code":[102],"repository":[103],"affected":[106],"project,":[107],"by":[108,177,211],"filtering":[109],"out":[110],"can":[113,271],"be":[114],"identified":[115],"unrelated":[117],"at":[121,154,240],"hand.":[122,155],"Finally,":[123],"for":[124,245,260,284],"each":[125,182],"remaining":[128],"commits,":[130],"our":[131,164,199,235,269],"builds":[133],"numerical":[135],"feature":[136,162,183],"vector":[137],"reflecting":[138],"characteristics":[140],"commit":[143,244,255],"relevant":[146],"predicting":[148],"its":[149],"match":[150],"with":[151],"Based":[156],"on":[157,205,256],"values":[159],"these":[161],"vectors,":[163],"produces":[166],"ranked":[168,233],"list":[169],"fixing":[172],"commits.":[173],"score":[175],"attributed":[176],"ML":[179],"model":[180],"kept":[185],"visible":[186],"users,":[189],"allowing":[190],"them":[191],"easily":[193],"interpret":[194],"predictions.":[196],"We":[197],"implemented":[198],"evaluated":[203],"it":[204],"open":[207],"set,":[209],"built":[210],"manual":[212,275],"curation,":[213],"comprises":[215],"2,391":[216],"known":[217,289],"corresponding":[220],"1,248":[222],"public":[223],"advisories.":[225],"When":[226],"considering":[227],"top-10":[229],"results,":[234],"implementation":[236],"could":[237],"successfully":[238],"identify":[239],"least":[241],"one":[242],"up":[246],"84.03%":[248],"(with":[252],"first":[258],"position":[259],"65.06%":[261],"vulnerabilities).":[264],"evaluation":[266],"shows":[267],"reduce":[272],"considerably":[273],"effort":[276],"needed":[277],"search":[279],"open-source":[280],"(OSS)":[282],"repositories":[283],"vulnerabilities.":[290]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":1},{"year":2022,"cited_by_count":1}],"updated_date":"2026-06-22T08:00:12.763002","created_date":"2025-10-10T00:00:00"}