Security Patch Variant

Security patches play a crucial role in the battleagainst Open Source Software (OSS) vulnerabilities. Meanwhile,to facilitate the development of OSS projects, both upstream anddownstream developers often maintain multiple branches. Dueto the different code contexts among branches, multiple securitypatch variants exist for the same vulnerability. Hence, to ease themanagement of OSS vulnerabilities, locating all patch variantsof an OSS vulnerability is pretty important. However, existingworks are mainly designed for locating a patch or several patchesfor a vulnerability but cannot locate all its patch variants.In this paper, we study the problem of how to accurately locateall variants of a given security patch. We motivate the problemwith a preliminary study, which shows that it is rather challengingto locate all patch variants, even with a reference patch, dueto the diverse practice of OSS developers in backporting patches.To overcome these challenges, we propose a new patch locationmethod to locate all variants of a patch in a code repository(e.g., a software or a specific version). Based on our findings inthe preliminary study, our method employs a rule-based modeland incorporates two-dimensional code commit features that arespecifically designed for the task of patch variants locating:similarity features and representative features. With a groundtruth patch variants dataset, our method achieves a precision of99.68% and a recall of 98.81% and significantly outperforms twostate-of-the-art baselines (PATCHSCOUT and TRACER). Besides,our method shows strong capability in locating patch variants atboth upstream and downstream code repositories.

安全补丁在抵御开源软件（Open Source Software，OSS）漏洞的行动中发挥着关键作用。与此同时，为推动开源软件项目的开发，上游与下游开发者通常会维护多个代码分支。由于不同分支间存在代码上下文差异，同一漏洞往往存在多种安全补丁变体。因此，为简化开源软件漏洞的管理工作，定位某一开源软件漏洞的全部补丁变体显得尤为关键。然而，现有研究大多仅针对单个或少量漏洞补丁的定位任务设计，无法实现单一漏洞的全部补丁变体检索。本文聚焦于如何精准定位给定安全补丁的全部变体这一问题。我们通过一项初步研究阐释了该问题的研究动机，结果显示，即便拥有参考补丁，由于开源软件开发者在补丁回溯（backporting）实践中存在多样化操作，定位全部补丁变体仍颇具挑战。为应对上述挑战，我们提出一种全新的补丁定位方法，用于在代码仓库（如某款软件或特定版本）中检索某一补丁的全部变体。基于初步研究的发现，我们的方法采用基于规则的模型，并融入了专为补丁变体定位任务设计的二维代码提交特征：相似度特征与代表性特征。依托标注完备的补丁变体数据集，我们的方法实现了99.68%的精确率与98.81%的召回率，且显著优于两款当前最优基线模型（PATCHSCOUT与TRACER）。此外，该方法在上游与下游代码仓库的补丁变体定位任务中均展现出优异性能。