Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

The lack of comprehensive sources of accurate vulnerability data represents a critical obstacle to studying and understanding software vulnerabilities (and their corrections). In this paper, we present an approach that combines heuristics stemming from practical experience and machine-learning (ML) - specifically, natural language processing (NLP) - to address this problem. Our method consists of three phases. First, an advisory record containing key information about a vulnerability is extracted from an advisory (expressed in natural language). Second, using heuristics, a subset of candidate fix commits is obtained from the source code repository of the affected project by filtering out commits that are known to be irrelevant for the task at hand. Finally, for each such candidate commit, our method builds a numerical feature vector reflecting the characteristics of the commit that are relevant to predicting its match with the advisory at hand. The feature vectors are then exploited for building a final ranked list of candidate fixing commits. The score attributed by the ML model to each feature is kept visible to the users, allowing them to interpret of the predictions. We evaluated our approach using a prototype implementation named Prospector on a manually curated data set that comprises 2,391 known fix commits corresponding to 1,248 public vulnerability advisories. When considering the top-10 commits in the ranked results, our implementation could successfully identify at least one fix commit for up to 84.03% of the vulnerabilities (with a fix commit on the first position for 65.06% of the vulnerabilities). In conclusion, our method reduces considerably the effort needed to search OSS repositories for the commits that fix known vulnerabilities

The Adoption of a COVID-19 Contact-Tracing App: Cluster Analysis

Background: During the COVID-19 pandemic, there was limited adoption of contact-tracing apps (CTAs). Adoption was particularly low among vulnerable people (eg, people with a low socioeconomic position or of older age), while this part of the population tends to have lesser access to information and communication technology and is more vulnerable to the COVID-19 virus. Objective: This study aims to understand the cause of this lagged adoption of CTAs in order to facilitate adoption and find indications to make public health apps more accessible and reduce health disparities. Methods: Because several psychosocial variables were found to be predictive of CTA adoption, data from the Dutch CTA CoronaMelder (CM) were analyzed using cluster analysis. We examined whether subgroups could be formed based on 6 psychosocial perceptions (ie, trust in the government, beliefs about personal data, social norms, perceived personal and societal benefits, risk perceptions, and self-efficacy) of (non)users concerning CM in order to examine how these clusters differ from each other and what factors are predictive of the intention to use a CTA and the adoption of a CTA. The intention to use and the adoption of CM were examined based on longitudinal data consisting of 2 time frames in October/November 2020 (N=1900) and December 2020 (N=1594). The clusters were described by demographics, intention, and adoption accordingly. Moreover, we examined whether the clusters and the variables that were found to influence the adoption of CTAs, such as health literacy, were predictive of the intention to use and the adoption of the CM app. Results: The final 5-cluster solution based on the data of wave 1 contained significantly different clusters. In wave 1, respondents in the clusters with positive perceptions (ie, beneficial psychosocial variables for adoption of a CTA) about the CM app were older (P<.001), had a higher education level (P<.001), and had higher intention (P<.001) and adoption (P<.001) rates than those in the clusters with negative perceptions. In wave 2, the intention to use and adoption were predicted by the clusters. The intention to use CM in wave 2 was also predicted using the adoption measured in wave 1 (P<.001, β=–2.904). Adoption in wave 2 was predicted by age (P=.022, exp(B)=1.171), the intention to use in wave 1 (P<.001, exp(B)=1.770), and adoption in wave 1 (P<.001, exp(B)=0.043). Conclusions: The 5 clusters, as well as age and previous behavior, were predictive of the intention to use and the adoption of the CM app. Through the distinguishable clusters, insight was gained into the profiles of CM (non)intenders and (non)adopters

The Adoption of a COVID-19 Contact-Tracing App:Cluster Analysis

Background:During the COVID-19 pandemic, there was limited adoption of contact-tracing apps (CTAs). Adoption was particularly low among vulnerable people (eg, people with a low socioeconomic position or of older age), while this part of the population tends to have lesser access to information and communication technology and is more vulnerable to the COVID-19 virus.Objective:This study aims to understand the cause of this lagged adoption of CTAs in order to facilitate adoption and find indications to make public health apps more accessible and reduce health disparities.Methods:Because several psychosocial variables were found to be predictive of CTA adoption, data from the Dutch CTA CoronaMelder (CM) were analyzed using cluster analysis. We examined whether subgroups could be formed based on 6 psychosocial perceptions (ie, trust in the government, beliefs about personal data, social norms, perceived personal and societal benefits, risk perceptions, and self-efficacy) of (non)users concerning CM in order to examine how these clusters differ from each other and what factors are predictive of the intention to use a CTA and the adoption of a CTA. The intention to use and the adoption of CM were examined based on longitudinal data consisting of 2 time frames in October/November 2020 (N=1900) and December 2020 (N=1594). The clusters were described by demographics, intention, and adoption accordingly. Moreover, we examined whether the clusters and the variables that were found to influence the adoption of CTAs, such as health literacy, were predictive of the intention to use and the adoption of the CM app.Results:The final 5-cluster solution based on the data of wave 1 contained significantly different clusters. In wave 1, respondents in the clusters with positive perceptions (ie, beneficial psychosocial variables for adoption of a CTA) about the CM app were older (P&lt;.001), had a higher education level (P&lt;.001), and had higher intention (P&lt;.001) and adoption (P&lt;.001) rates than those in the clusters with negative perceptions. In wave 2, the intention to use and adoption were predicted by the clusters. The intention to use CM in wave 2 was also predicted using the adoption measured in wave 1 (P&lt;.001, β=–2.904). Adoption in wave 2 was predicted by age (P=.022, exp(B)=1.171), the intention to use in wave 1 (P&lt;.001, exp(B)=1.770), and adoption in wave 1 (P&lt;.001, exp(B)=0.043).Conclusions:The 5 clusters, as well as age and previous behavior, were predictive of the intention to use and the adoption of the CM app. Through the distinguishable clusters, insight was gained into the profiles of CM (non)intenders and (non)adopters