Characterizing Logs in Vulnerability Reports: In-Depth Analysis and Security Implications

Characterizing Logs in Vulnerability Reports: In-Depth Analysis and Security Implications

연구 분야: Strategies

학회: 2025 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

Software logs provide a rich source of data for tracing, debugging, and detecting software bugs. However, the valuable data contained within logs attached to vulnerability reports remains largely unexplored. This study aims to bridge this gap by investigating the characteristics, rationales, and potential of logs for software vulnerability management. We conduct a comprehensive analysis of 1,118 Common Vulnerabilities and Exposures (CVEs) linked to issue reports, specifically focusing on the distribution and content of logs included in these reports. Our analysis reveals that exception logs are the most prevalent type across various vulnerability categories and life cycle phases. In addition, we further discover seven key rationales for attaching logs to vulnerability reports, highlighting the multifaceted role of logs in vulnerability reporting and analysis. Furthermore, we explore the feasibility of using logs to assist in vulnerability management, specifically for vulnerability location and security issue detection. Our experiments show that exception logs effectively target at least one vulnerable function in 65.6% of analyzed vulnerabilities. To support security issue detection, we apply three different approaches, i.e., heuristic rule-based, K-means++, and Latent Dirichlet Allocation. We evaluate the three approaches on a total of 158,730 issue reports from 72 projects hosted on GitHub and Bugzilla. The results show that heuristic rule-based and K-means++ approaches successfully identify true security issues, with a precision of 44.1% and 46.7% respectively. Overall, our findings highlight the significant potential of analyzing logs in vulnerability reports to strengthen software security practices and inspire future studies.