Utilization of machine learning for the detection of self-admitted vulnerabilities

TL;DR

This paper explores using machine learning and NLP techniques to automatically detect self-admitted vulnerabilities in source code comments, aiming to streamline vulnerability identification in software development.

Contribution

It introduces a novel approach combining NLP and NL-PL methods to identify SATD-related vulnerabilities and proposes a CI/CD pipeline for practical vulnerability detection.

Findings

Effective identification of SATD in source code comments

Enhanced understanding of vulnerability semantics in comments

Proposed pipeline facilitates practical vulnerability detection

Abstract

Motivation: Technical debt is a metaphor that describes not-quite-right code introduced for short-term needs. Developers are aware of it and admit it in source code comments, which is called Self- Admitted Technical Debt (SATD). Therefore, SATD indicates weak code that developers are aware of. Problem statement: Inspecting source code is time-consuming; automatically inspecting source code for its vulnerabilities is a crucial aspect of developing software. It helps practitioners reduce the time-consuming process and focus on vulnerable aspects of the source code. Proposal: Accurately identify and better understand the semantics of self-admitted technical debt (SATD) by leveraging NLP and NL-PL approaches to detect vulnerabilities and the related SATD. Finally, a CI/CD pipeline will be proposed to make the vulnerability discovery process easily accessible to practitioners.