SECOMlint: A linter for Security Commit Messages

TL;DR

SECOMlint is an automated tool that uses NLP techniques to verify compliance of security commit messages with the SECOM standard, improving security documentation quality.

Contribution

It introduces SECOMlint, the first automated, configurable linter for security commit messages based on the SECOM standard, utilizing NER for compliance checking.

Findings

Successfully demonstrates SECOMlint's effectiveness in compliance detection

Provides accessible documentation and source code for community use

Enhances security patch documentation through standardization

Abstract

Transparent and efficient vulnerability and patch disclosure are still a challenge in the security community, essentially because of the poor-quality documentation stemming from the lack of standards. SECOM is a recently-proposed standard convention for security commit messages that enables the writing of well-structured and complete commit messages for security patches. The convention prescribes different bits of security-related information essential for a better understanding of vulnerabilities by humans and tools. SECOMlint is an automated and configurable solution to help security and maintenance teams infer compliance against the SECOM standard when submitting patches to security vulnerabilities in their source version control systems. The tool leverages the natural language processing technique Named-Entity Recognition (NER) to extract security-related information from commit messages and uses it to match the compliance standards designed. We demonstrate SECOMlint at https://youtu.be/-1hzpMN_uFI; and documentation and its source code at https://tqrg.github.io/secomlint/.