A METHOD FOR FINDING AND PARSING PATCHES FOR OPEN SOURCE SOFTWARE VULNERABILITIES

Patches, as a valuable piece of information for securityrelated tasks, are often missing in security advisories. In this article, we propose an automated approach, named PatFinder, to find and parse patches for open source software (OSS) vulnerabilities. First, PatFinder identified commits from numerous vulnerabilityrelated references. Then, PatFinder selected patches based on code changes of identified commits and a weighted voting mechanism. Finally, based on designed patch parsing methods, metadata of patches (i.e.KG-*4, paths of modified files and names of functions) was obtained. Our experiment has shown that PatFinder can achieve a coverage of 73.10% and a recall of 0.802, significantly improving the coverage and recall of existing approaches.