This is an archive of the old software engineering chair at Saarland University. It is no longer up-to-date.

Predicting Vulnerable Software Components - Technical Report
by Stephan Neuhaus, Thomas Zimmermann, Andreas Zeller

Universität des Saarlandes, Saarbrücken, Germany, February 2007. Accepted at ACM CCS 2007. Please cite the conference paper..

Download as PDF file.

See also

More information is available at


We introduce Vulture, a new approach and tool to predict vulnerable components in large software systems. Vulture relates a software project's version archive to its vulnerability database to find those components that had vulnerabilities in the past. It then analyzes the import structure of software components and uses a support vector machine to learn and predict which imports are most important for a component to be vulnerable. We evaluated Vulture on the C++ codebase of Mozilla and found that Vulture correctly identifies about two thirds of all vulnerable components. This allows developers and project managers to focus their testing and inspection efforts: "We should look at nsXPInstallManager more closely, because it is likely to contain yet unknown vulnerabilities."

BibTeX Entry

    title = "Predicting Vulnerable Software Components",
    author = "Stephan Neuhaus and Thomas Zimmermann and Andreas Zeller",
    year = "2007",
    month = feb,
    institution = "Universität des Saarlandes, Saarbrücken, Germany",

Show all publications of the Software Engineering Chair.