CAPRA：上下文感知补丁风险评估，用于检测开源软件中不成熟的漏洞

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-06-06 DOI:10.1016/j.cose.2025.104540

Benxiao Tang , Shilin Zhang , Fei Zhu , Aoshuang Ye

{"title":"CAPRA：上下文感知补丁风险评估，用于检测开源软件中不成熟的漏洞","authors":"Benxiao Tang , Shilin Zhang , Fei Zhu , Aoshuang Ye","doi":"10.1016/j.cose.2025.104540","DOIUrl":null,"url":null,"abstract":"<div><div>Software development increasingly relies on open-source contributions, yet these projects face significant security challenges. Large collaborative codebases frequently encounter vulnerabilities due to varying developer skill levels and reviewers’ incomplete understanding of code changes’ contextual implications. Traditional detection measures typically activate only after code merging, missing opportunities for detecting potential risks (e.g. immature vulnerability). This paper presents CAPRA, a security detection tool analyzing pending patches through static analysis to identify potential memory leak and Use-After-Free vulnerabilities before integration. Our approach employs code property graph, eliminating compilation environment dependencies while efficiently detecting whether code modifications activate latent vulnerabilities. Using our newly constructed dataset targeting risk-triggering scenarios, experimental results demonstrate CAPRA achieves 97.3% accuracy with 98% recall and only 3.5% false positives—confirming its effectiveness for enhancing code review processes through targeted, early vulnerability detection in rapidly iterating collaborative projects.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104540"},"PeriodicalIF":4.8000,"publicationDate":"2025-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"CAPRA: Context-Aware patch risk assessment for detecting immature vulnerability in open-source software\",\"authors\":\"Benxiao Tang , Shilin Zhang , Fei Zhu , Aoshuang Ye\",\"doi\":\"10.1016/j.cose.2025.104540\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Software development increasingly relies on open-source contributions, yet these projects face significant security challenges. Large collaborative codebases frequently encounter vulnerabilities due to varying developer skill levels and reviewers’ incomplete understanding of code changes’ contextual implications. Traditional detection measures typically activate only after code merging, missing opportunities for detecting potential risks (e.g. immature vulnerability). This paper presents CAPRA, a security detection tool analyzing pending patches through static analysis to identify potential memory leak and Use-After-Free vulnerabilities before integration. Our approach employs code property graph, eliminating compilation environment dependencies while efficiently detecting whether code modifications activate latent vulnerabilities. Using our newly constructed dataset targeting risk-triggering scenarios, experimental results demonstrate CAPRA achieves 97.3% accuracy with 98% recall and only 3.5% false positives—confirming its effectiveness for enhancing code review processes through targeted, early vulnerability detection in rapidly iterating collaborative projects.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"157 \",\"pages\":\"Article 104540\"},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2025-06-06\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825002299\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002299","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

软件开发越来越依赖于开源的贡献，然而这些项目面临着重大的安全挑战。由于不同的开发人员技能水平和审查人员对代码更改上下文含义的不完全理解，大型协作代码库经常遇到漏洞。传统的检测措施通常只在代码合并后激活，从而错过了检测潜在风险的机会（例如，不成熟的漏洞）。CAPRA是一种安全检测工具，通过静态分析对待处理补丁进行分析，在集成前识别潜在的内存泄漏和Use-After-Free漏洞。我们的方法采用代码属性图，消除了编译环境依赖性，同时有效地检测代码修改是否激活了潜在的漏洞。使用我们新构建的针对风险触发场景的数据集，实验结果表明，CAPRA的准确率达到97.3%，召回率为98%，假阳性率仅为3.5%，这证实了它在快速迭代的协作项目中通过有针对性的早期漏洞检测来增强代码审查过程的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

CAPRA: Context-Aware patch risk assessment for detecting immature vulnerability in open-source software

Software development increasingly relies on open-source contributions, yet these projects face significant security challenges. Large collaborative codebases frequently encounter vulnerabilities due to varying developer skill levels and reviewers’ incomplete understanding of code changes’ contextual implications. Traditional detection measures typically activate only after code merging, missing opportunities for detecting potential risks (e.g. immature vulnerability). This paper presents CAPRA, a security detection tool analyzing pending patches through static analysis to identify potential memory leak and Use-After-Free vulnerabilities before integration. Our approach employs code property graph, eliminating compilation environment dependencies while efficiently detecting whether code modifications activate latent vulnerabilities. Using our newly constructed dataset targeting risk-triggering scenarios, experimental results demonstrate CAPRA achieves 97.3% accuracy with 98% recall and only 3.5% false positives—confirming its effectiveness for enhancing code review processes through targeted, early vulnerability detection in rapidly iterating collaborative projects.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.