Vulnerability Prediction and Assessment Using Software Product Metrics and Machine Learning: What Does Not Work
2024
IEEE International Conference on Software Quality, Reliability and Security Workshops
Authors: Tim Sonnekalb and Celestino Madera Castro and Bernd Gruner and Clemens-Alexander Brust and Wolfram Amme
Abstract: Software metrics can help developers improve their written code by providing an overview of already written code. In the long term, they can thus help increase the software’s quality. There are a variety of metrics and tools that calculate them. This study aims to determine whether they can also be used to make statements about software security, particularly to predict the number of vulnerabilities present. We use the CVEfixes dataset, a recent version of the CVE database, extract the corresponding code with and without vulnerabilities and calculate the software metrics using Understand and Analizo tools. Based on these metrics, we try to predict the presence of a vulnerability or its severity using a neural network. Unfortunately, the network was not able to make any meaningful predictions from the metrics, so we are looking for causes of what can be improved in this context. We want to highlight issues that arise when calculating software metrics in open-source software.