pith. sign in

Mapping NVD Records to Their Vulnerability-fixing Commits: How Hard is It?

2 Pith papers cite this work. Polarity classification is still indexing.

2 Pith papers citing it
abstract

Mapping National Vulnerability Database (NVD) records to vulnerability-fixing commits (VFCs) is crucial for vulnerability analysis but challenging due to sparse explicit links in NVD references. This study explores this mapping's feasibility through an empirical approach. Manual analysis of NVD references showed Git references enable over 86% success, while non-Git references achieve under 14%. Using these findings, we built an automated pipeline extracting 31,942 VFCs from 20,360 NVD records (8.7% of 235,341) with 87% precision, mainly from Git references. To fill gaps, we mined six external security databases, yielding 29,254 VFCs for 18,985 records (8.1%) at 88.4% precision, and GitHub repositories, adding 3,686 VFCs for 2,795 records (1.2%) at 73% precision. Combining these, we mapped 26,710 unique records (11.3% coverage) from 7,634 projects, with overlap between NVD and external databases, plus unique GitHub contributions. Despite success with Git references, 88.7% of records remain unmapped, highlighting the difficulty without Git links. This study offers insights for enhancing vulnerability datasets and guiding future automated security research.

fields

cs.CR 1 cs.SE 1

years

2026 2

verdicts

UNVERDICTED 2

clear filters

representative citing papers

File-Level Copying Is an Implicit Dependency in Open Source

cs.SE · 2026-07-02 · unverdicted · novelty 6.0

File-level copying acts as an implicit dependency in open source, removing provenance signals and concentrating security risks in vendored copies and license risks in direct source reuse.

VeriPort: Automated and Verified Patch Backporting at Scale

cs.CR · 2026-06-21 · unverdicted · novelty 6.0

VeriPort is an end-to-end agentic system that backports vulnerability patches to all affected versions of a package at scale while producing verification evidence, achieving 95.3% success on 128 benchmark tasks and generating over 5,000 verified patches across 169 CVEs.

citing papers explorer

Showing 1 of 1 citing paper after filters.

  • VeriPort: Automated and Verified Patch Backporting at Scale cs.CR · 2026-06-21 · unverdicted · none · ref 26 · internal anchor

    VeriPort is an end-to-end agentic system that backports vulnerability patches to all affected versions of a package at scale while producing verification evidence, achieving 95.3% success on 128 benchmark tasks and generating over 5,000 verified patches across 169 CVEs.