short-paper

Open access

SECOM: towards a convention for security commit messages

Authors:

Sofia Reis,

Rui Abreu,

Hakan Erdogmus,

Corina PăsăreanuAuthors Info & Claims

MSR '22: Proceedings of the 19th International Conference on Mining Software Repositories

Pages 764 - 765

https://doi.org/10.1145/3524842.3528513

Published: 17 October 2022 Publication History

PDF eReader

Abstract

One way to detect and assess software vulnerabilities is by extracting security-related information from commit messages. Automating the detection and assessment of vulnerabilities upon security commit messages is still challenging due to the lack of structured and clear messages. We created a convention, called SECOM, for security commit messages that structure and include bits of security-related information that are essential for detecting and assessing vulnerabilities for both humans and tools. The full convention and details are available here: https://tqrg.github.io/secom/.

References

[1]

S. Chakraborty, R. Krishna, Y. Ding, and B. Ray. Deep learning based vulnerability detection: Are we there yet. IEEE Transactions on Software Engineering, (01):1--1, jun 5555.

Google Scholar

[2]

Sofia Reis and Rui Abreu. SECBENCH: A database of real security vulnerabilities. In International Workshop on Secure Software Engineering in DevOps and Agile Development co-located with the (ESORICS 2017), Oslo, Norway, September 14, 2017, pages 69--85, 2017.

Google Scholar

[3]

Serena E. Ponta, Henrik Plate, Antonino Sabetta, Michele Bezzi, and Cédric Dangremont. A manually-curated dataset of fixes to vulnerabilities of open-source software. In Proceedings of the 16th International Conference on Mining Software Repositories, MSR '19, page 383--387. IEEE Press, 2019.

Digital Library

Google Scholar

[4]

Jiahao Fan, Yi Li, Shaohua Wang, and Tien N. Nguyen. A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries, page 508--512. Association for Computing Machinery, New York, NY, USA, 2020.

Google Scholar

[5]

Guru Bhandari, Amara Naseer, and Leon Moonen. Cvefixes: Automated collection of vulnerabilities and their fixes from open-source software. In Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2021, page 30--39, New York, NY, USA, 2021. Association for Computing Machinery.

Digital Library

Google Scholar

[6]

Arthur D. Sawadogo, Tegawendé F. Bissyandé, Naouel Moha, Kevin Allix, Jacques Klein, Li Li, and Yves Le Traon. Learning to catch security patches. CoRR, abs/2001.09148, 2020.

Google Scholar

[7]

Hazim Hanif, Mohd Hairul Nizam Md Nasir, Mohd Faizal Ab Razak, Ahmad Firdaus, and Nor Badrul Anuar. The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches. Journal of Network and Computer Applications, 179:103009, 2021.

Crossref

Google Scholar

[8]

Yunhui Zheng, Saurabh Pujar, Burn Lewis, Luca Buratti, Edward Epstein, Bo Yang, Jim Laredo, Alessandro Morari, and Zhong Su. D2A: A Dataset Built for AI-Based Vulnerability Detection Methods Using Differential Analysis, page 111--120. IEEE Press, 2021.

Google Scholar

[9]

Conventional commits. https://www.conventionalcommits.org/en/v1.0.0/. Accessed April 13, 2022.

Google Scholar

[10]

Sean Patterson. Developer tip: Keep your commits "atomic". https://www.freshconsulting.com/insights/blog/atomic-commits/. Accessed April 13, 2022.

Google Scholar

[11]

Linus Torvalds. Linus torvalds describes a good commit message. https://github.com/torvalds/subsurface-for-dirk/blob/a48494d2fbed58c751e9b7e8fbff88582f9b2d02/README#L88. Accessed April 13, 2022.

Google Scholar

[12]

Chris Beams. How to write a git commit message. https://cbea.ms/git-commit/. Accessed April 13, 2022.

Google Scholar

Cited By

View all

Vu TBui TDo TNguyen TVo HNguyen S(2025)Automated description generation for software patchesInformation and Software Technology10.1016/j.infsof.2024.107543177(107543)Online publication date: Jan-2025
https://doi.org/10.1016/j.infsof.2024.107543
Akhoundali JNouri SRietveld KGadyatskaya OShang WLamothe MWan Z(2024)MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository DiscoveryProceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering10.1145/3663533.3664036(42-51)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663533.3664036

Index Terms

SECOM: towards a convention for security commit messages
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues
      1. Software evolution

Recommendations

Are security commit messages informative? Not enough!
EASE '23: Proceedings of the 27th International Conference on Evaluation and Assessment in Software Engineering

The fast distribution and deployment of security patches are important to protect users against cyberattacks. These fixes can be detected automatically by patch management triage systems. However, previous work has shown that automating the task is not ...
IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers
CCGrid '17: Proceedings of the 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing

To demonstrate compliance with privacy and security principles, information technology (IT) service providers often rely on security standards and certifications. However, the appearance of new service models such as cloud computing has brought new ...
Toward efficient smartification of the Internet of Things (IoT) services
Abstract
The Internet of Things (IoT) comprises several communication network technology standards and most of them are currently operating in silos. However, to achieve the IoT paradigm’s main goal, which is to deliver efficient and high-...
Highlights
- We analyze the risks that are prevalent when there is a lack of cross-domain integration within the IoT.

Comments

Information & Contributors

Information

Published In

MSR '22: Proceedings of the 19th International Conference on Mining Software Repositories

May 2022

815 pages

ISBN:9781450393034

DOI:10.1145/3524842

General Chair:
David Lo
Singapore Management University, Singapore
,
Program Chairs:
Shane McIntosh
University of Waterloo, Canada
,
Nicole Novielli
University of Bari, Italy

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Fundação para a Ciencia e a Tecnologia
Fundação para a Ciencia e a Tecnologia

Conference

MSR '22

Sponsor:

SIGSOFT

MSR '22: 19th International Conference on Mining Software Repositories

May 23 - 24, 2022

Pennsylvania, Pittsburgh

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
309
Total Downloads

Downloads (Last 12 months)181
Downloads (Last 6 weeks)28

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Vu TBui TDo TNguyen TVo HNguyen S(2025)Automated description generation for software patchesInformation and Software Technology10.1016/j.infsof.2024.107543177(107543)Online publication date: Jan-2025
https://doi.org/10.1016/j.infsof.2024.107543
Akhoundali JNouri SRietveld KGadyatskaya OShang WLamothe MWan Z(2024)MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository DiscoveryProceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering10.1145/3663533.3664036(42-51)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663533.3664036

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Are security commit messages informative? Not enough!

IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers

Toward efficient smartification of the Internet of Things (IoT) services

Comments

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF

eReader

Login options

Full Access

Abstract

References

Cited By

Index Terms

Recommendations

Are security commit messages informative? Not enough!

IT Security and Privacy Standards in Comparison: Improving FedRAMP Authorization for Cloud Service Providers

Toward efficient smartification of the Internet of Things (IoT) services

Comments

Information

Published In

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations