Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking

Security patches play an important role in defending against the security threats brought by the increasing OSS vulnerabilities. However, the collection of security patches still remains a challenging problem. Existing works mainly adopt a matching-based design that uses auxiliary information in CVE/NVD to reduce the search scope of patch commits. However, our preliminary study shows that these approaches can only cover a small part of disclosed OSS vulnerabilities (about 12%-53%) even with manual assistance. To facilitate the collection of OSS security patches, this paper proposes a ranking-based approach, named PatchScout, which ranks the code commits in the OSS code repository based on their correlations to a given vulnerability. By exploiting the broad correlations between a vulnerability and code commits, patch commits are expected to be put to front positions in the ranked results. Compared with existing works, our approach could help to locate more security patches and meet a balance between the patch coverage and the manual efforts involved. We evaluate PatchScout with 685 OSS CVEs and the results show that it helps to locate 92.70% patches with acceptable manual workload. To further demonstrate the utility of PatchScout, we perform a study on 5 popular OSS projects and 225 CVEs to understand the patch deployment practice across branches, and we obtain many new findings.