Identifying Vulnerable Third-Party Java Libraries from Textual Descriptions of Vulnerabilities and Libraries

TL;DR

This paper introduces VulLibMiner, a novel method combining TF-IDF and BERT models to improve the accuracy of identifying vulnerable third-party Java libraries from textual descriptions, outperforming existing approaches.

Contribution

VulLibMiner is the first approach to identify vulnerable libraries using textual descriptions of both vulnerabilities and libraries, enhancing detection accuracy over prior methods.

Findings

VulLibMiner achieves an average F1 score of 0.657.

It outperforms state-of-the-art approaches with an F1 score of 0.521.

The combined TF-IDF and BERT approach effectively reduces false positives.

Abstract

To address security vulnerabilities arising from third-party libraries, security researchers maintain databases monitoring and curating vulnerability reports. Application developers can identify vulnerable libraries by directly querying the databases with their used libraries. However, the querying results of vulnerable libraries are not reliable due to the incompleteness of vulnerability reports. Thus, current approaches model the task of identifying vulnerable libraries as a named-entity-recognition (NER) task or an extreme multi-label learning (XML) task. These approaches suffer from highly inaccurate results in identifying vulnerable libraries with complex and similar names, e.g., Java libraries. To address these limitations, in this paper, we propose VulLibMiner, the first to identify vulnerable libraries from textual descriptions of both vulnerabilities and libraries, together with VulLib, a Java vulnerability dataset with their affected libraries. VulLibMiner consists of a TF-IDF matcher to efficiently screen out a small set of candidate libraries and a BERT-FNN model to identify vulnerable libraries from these candidates effectively. We evaluate VulLibMiner using four state-of-the-art/practice approaches of identifying vulnerable libraries on both their dataset named VeraJava and our VulLib dataset. Our evaluation results show that VulLibMiner can effectively identify vulnerable libraries with an average F1 score of 0.657 while the state-of-the-art/practice approaches achieve only 0.521.