MSR 2025
Mon 28 - Tue 29 April 2025 Ottawa, Ontario, Canada
co-located with ICSE 2025

This program is tentative and subject to change.

Mon 28 Apr 2025 12:05 - 12:10 at 215 - Security and legal aspects

Machine learning-based software vulnerability detection requires high-quality datasets, which is essential for training effective models. To address challenges related to data quality, diversity, and comprehensiveness, we constructed ICVul, a dataset emphasizing data quality and enriched with comprehensive metadata, including Vulnerability-Contributing Commits (VCCs). We began by filtering Common Vulnerabilities and Exposures from the NVD, retaining only those linked to GitHub fix commits. Then we extracted functions and files along with relevant metadata from these commits and used the SZZ algorithm to trace VCCs. To further enhance label reliability, we developed the ESC (Eliminate Suspicious Commit) technique, ensuring credible data labels. The dataset is stored in a relational-like database for improved usability and data integrity. Both ICVul and its construction framework are publicly accessible on GitHub, supporting research in related field.

This program is tentative and subject to change.

Mon 28 Apr

Displayed time zone: Eastern Time (US & Canada) change

11:00 - 12:30
11:00
10m
Talk
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
Technical Papers
Piotr Przymus Nicolaus Copernicus University in Toruń, Poland, Thomas Durieux TU Delft
11:10
10m
Talk
Software Composition Analysis and Supply Chain Security in Apache Projects: an Empirical Study
Technical Papers
Sabato Nocera University of Salerno, Sira Vegas Universidad Politecnica de Madrid, Giuseppe Scanniello University of Salerno, Natalia Juristo Universidad Politecnica de Madrid
Pre-print
11:20
10m
Talk
Good practice versus reality: a landscape analysis of Research Software metadata adoption in European Open Science Clusters
Technical Papers
Anas El Hounsri Universidad Politécnica de Madrid, Daniel Garijo Universidad Politécnica de Madrid
11:30
10m
Talk
Towards Security Commit Message Standardization
Technical Papers
Sofia Reis Instituto Superior Técnico, U. Lisboa & INESC-ID, Rui Abreu INESC-ID; University of Porto, Corina Pasareanu CMU, NASA, KBR
11:40
10m
Talk
From Industrial Practices to Academia: Uncovering the Gap in Vulnerability Research and Practice
Technical Papers
Zhuang Liu , Xing Hu Zhejiang University, Jiayuan Zhou Queen's University, Xin Xia Huawei
11:50
5m
Talk
Patch Me If You Can—Securing the Linux Kernel
Industry Track
Gunnar Kudrjavets Amazon Web Services, USA
Pre-print
11:55
5m
Talk
OSS License Identification at Scale: A Comprehensive Dataset Using World of Code
Data and Tool Showcase Track
Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, David Reid University of Tennessee, Adam McDaniel University of Tennessee Knoxville, Audris Mockus The University of Tennessee
12:00
5m
Talk
SCRUBD: Smart Contracts Reentrancy and Unhandled Exceptions Vulnerability Dataset
Data and Tool Showcase Track
Chavhan Sujeet Yashavant Indian Institute of Technology, Kanpur, Mitrajsinh Chavda Indian Institute of Technology Kanpur, India, Saurabh Kumar Indian Institute of Technology Hyderabad, India, Amey Karkare IIT Kanpur, Angshuman Karmakar Indian Institute of Technology Kanpur, India
12:05
5m
Talk
ICVul: A Well-labeled C/C++ Vulnerability Dataset with Comprehensive Metadata and VCCs
Data and Tool Showcase Track
Chaomeng Lu DistriNet Group-T, KU Leuven, Tianyu Li DistriNet Group-T, KU Leuven, Toon Dehaene KU Leuven, Bert Lagaisse DistriNet Group-T, KU Leuven
12:10
5m
Talk
A Dataset of Software Bill of Materials for Evaluating SBOM Consumption Tools
Data and Tool Showcase Track
Rio Kishimoto Osaka University, Tetsuya Kanda Notre Dame Seishin University, Yuki Manabe The University of Fukuchiyama, Katsuro Inoue Nanzan University, Shi Qiu Toshiba, Yoshiki Higo Osaka University
12:15
5m
Talk
Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code
Data and Tool Showcase Track
Luis Soeiro LTCI, Télécom Paris, Institut Polytechnique de Paris, Thomas Robert LTCI, Télécom Paris, Institut Polytechnique de Paris, Stefano Zacchiroli Télécom Paris, Polytechnic Institute of Paris
12:20
5m
Talk
MaLAware: Automating the Comprehension of Malicious Software Behaviours using Large Language Models (LLMs)
Data and Tool Showcase Track
BIKASH SAHA Indian Institute of Technology Kanpur, Nanda Rani Indian Institute of Technology Kanpur, Sandeep K. Shukla Indian Institute of Technology Kanpur