MSR 2025
Mon 28 - Tue 29 April 2025 Ottawa, Ontario, Canada
co-located with ICSE 2025

This program is tentative and subject to change.

Mon 28 Apr 2025 11:40 - 11:50 at 215 - Security and legal aspects

The rising number of vulnerabilities has attracted significant attention from academia and industry. While the Common Vulnerabilities and Exposures (CVE) database is an industry-standard resource for organizing and researching vulnerabilities, it lacks comprehensive analysis, often requiring researchers to conduct additional investigations. This gap in detailed vulnerability information can hinder effective vulnerability management and research. To address this problem, we conduct the first empirical investigation to discover the disparities in vulnerability aspects between academia and industry. We collect a comprehensive dataset comprising 50,254 security bulletins and blogs from 36 CVE Numbering Authorities (CNAs). We extract and summarize the specific characteristics of vulnerabilities from these web pages and identify 15 key aspects for describing vulnerabilities.
Our analysis reveals that the detailed information provided by different CNAs varies significantly. The industrial practice primarily emphasizes post-disclosure aspects of vulnerabilities, such as \textit{Impact} (82.1%) and \textit{Measures} (i.e., \textit{Solution} and \textit{Mitigation}), while largely overlooking \textit{Attacker Type} (almost none), \textit{Attack Scenario} (0.3%), and details on \textit{Steps to Reproduce} (0.2%) and \textit{Vulnerability Validation & Exploitation} (almost none). We also systematically review 31 academic papers on vulnerabilities to identify the primary aspects of academic research. Our findings indicate the lack of research on \textit{Attack Scenario} and \textit{Attack Method} in academia. Academic research on vulnerabilities primarily focuses on \textit{Fix/Patch Release} (13 out of 31), with significant attention to patch generation, porting, search, and vulnerability repair. By offering insights to industry and academia, we aim to stimulate the advancement of vulnerability research. In the future, the aspect \textit{Attack scenario} of vulnerabilities holds the potential for breakthrough advancements, benefiting both industry and academia.

This program is tentative and subject to change.

Mon 28 Apr

Displayed time zone: Eastern Time (US & Canada) change

11:00 - 12:30
11:00
10m
Talk
Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack
Technical Papers
Piotr Przymus Nicolaus Copernicus University in Toruń, Poland, Thomas Durieux TU Delft
11:10
10m
Talk
Software Composition Analysis and Supply Chain Security in Apache Projects: an Empirical Study
Technical Papers
Sabato Nocera University of Salerno, Sira Vegas Universidad Politecnica de Madrid, Giuseppe Scanniello University of Salerno, Natalia Juristo Universidad Politecnica de Madrid
Pre-print
11:20
10m
Talk
Good practice versus reality: a landscape analysis of Research Software metadata adoption in European Open Science Clusters
Technical Papers
Anas El Hounsri Universidad Politécnica de Madrid, Daniel Garijo Universidad Politécnica de Madrid
11:30
10m
Talk
Towards Security Commit Message Standardization
Technical Papers
Sofia Reis Instituto Superior Técnico, U. Lisboa & INESC-ID, Rui Abreu INESC-ID; University of Porto, Corina Pasareanu CMU, NASA, KBR
11:40
10m
Talk
From Industrial Practices to Academia: Uncovering the Gap in Vulnerability Research and Practice
Technical Papers
Zhuang Liu , Xing Hu Zhejiang University, Jiayuan Zhou Queen's University, Xin Xia Huawei
11:50
5m
Talk
Patch Me If You Can—Securing the Linux Kernel
Industry Track
Gunnar Kudrjavets Amazon Web Services, USA
Pre-print
11:55
5m
Talk
OSS License Identification at Scale: A Comprehensive Dataset Using World of Code
Data and Tool Showcase Track
Mahmoud Jahanshahi Research Assistant, University of Tennessee Knoxville, David Reid University of Tennessee, Adam McDaniel University of Tennessee Knoxville, Audris Mockus The University of Tennessee
12:00
5m
Talk
SCRUBD: Smart Contracts Reentrancy and Unhandled Exceptions Vulnerability Dataset
Data and Tool Showcase Track
Chavhan Sujeet Yashavant Indian Institute of Technology, Kanpur, Mitrajsinh Chavda Indian Institute of Technology Kanpur, India, Saurabh Kumar Indian Institute of Technology Hyderabad, India, Amey Karkare IIT Kanpur, Angshuman Karmakar Indian Institute of Technology Kanpur, India
12:05
5m
Talk
ICVul: A Well-labeled C/C++ Vulnerability Dataset with Comprehensive Metadata and VCCs
Data and Tool Showcase Track
Chaomeng Lu DistriNet Group-T, KU Leuven, Tianyu Li DistriNet Group-T, KU Leuven, Toon Dehaene KU Leuven, Bert Lagaisse DistriNet Group-T, KU Leuven
12:10
5m
Talk
A Dataset of Software Bill of Materials for Evaluating SBOM Consumption Tools
Data and Tool Showcase Track
Rio Kishimoto Osaka University, Tetsuya Kanda Notre Dame Seishin University, Yuki Manabe The University of Fukuchiyama, Katsuro Inoue Nanzan University, Shi Qiu Toshiba, Yoshiki Higo Osaka University
12:15
5m
Talk
Wild SBOMs: a Large-scale Dataset of Software Bills of Materials from Public Code
Data and Tool Showcase Track
Luis Soeiro LTCI, Télécom Paris, Institut Polytechnique de Paris, Thomas Robert LTCI, Télécom Paris, Institut Polytechnique de Paris, Stefano Zacchiroli Télécom Paris, Polytechnic Institute of Paris
12:20
5m
Talk
MaLAware: Automating the Comprehension of Malicious Software Behaviours using Large Language Models (LLMs)
Data and Tool Showcase Track
BIKASH SAHA Indian Institute of Technology Kanpur, Nanda Rani Indian Institute of Technology Kanpur, Sandeep K. Shukla Indian Institute of Technology Kanpur