FOSS version differentiation as a benchmark for static analysis security testing tools

Abstract

We propose a novel methodology that allows automatic construction of benchmarks for Static Analysis Security Testing (SAST) tools based on real-world software projects by differencing vulnerable and fixed versions in FOSS repositories. The methodology allows us to evaluate ``actual'' performance of SAST tools (without unrelated alarms). To test our approach, we benchmarked 7 SAST tools (although we report only results for the two best tools), against 70 revisions of four major versions of Apache Tomcat with 62 distinct CVEs as the source of ground truth vulnerabilities.

DOI: 10.1145/3106237.3121276

2 Figures and Tables

Cite this paper

@inproceedings{Pashchenko2017FOSSVD, title={FOSS version differentiation as a benchmark for static analysis security testing tools}, author={Ivan Pashchenko}, booktitle={ESEC/SIGSOFT FSE}, year={2017} }