Automatically Identifying CVE Affected Versions With Patches and Developer Logs

Abstract

While vulnerability databases are important sources of information for software security, it is known that information in these databases is inconsistent. How to rectify these incorrect data is a challenging issue. In this paper, we employ developer logs and patches to automatically identify vulnerable source code versions that each CVE really affects. Our tool organizes all versions of a piece of software into a version tree, and identifies the first vulnerable version, and the last vulnerable versions in the version tree trunk and branches. For evaluation, we took Linux Kernel as the case study and quantified the error rate of the vulnerable versions reported by the NVD. The total number of vulnerable Linux Kernel versions reported by the NVD was 43,727 (as of September 2020), of which the total number of false positives reached 2,497 and the total number of false negatives reached 9,330, accounting for 5.7% and 21.34%, respectively. In addition, we compare our tool with two vulnerability detection tools and show that our tool could achieve high detection accuracy.