Replication dataset

This page contains the data and scripts required to replicate the results of the study entitled Predicting Vulnerable Components: Software Metrics vs Text Mining.

All data files and scripts on this page were prepared or authored by Riccardo Scandariato, Jeffrey Stuckman, or James Walden

Feature data

(9.3K) File metrics for Drupal 6.0

(1.9MB) Text mining token data for Drupal 6.0

(121K) File metrics for Moodle 2.0.0

(18M) Text mining token data for Moodle 2.0.0

(15K) File metrics for PHPMyAdmin 3.3.0

(5.3M) Text mining token data for PHPMyAdmin 3.3.0

Product source code and tokenization scripts

(829) Script to tokenize PHP files

(572KB) Single-version archive containing Drupal 6.0

(304MB) Git repository providing files for all versions of Moodle

(215MB) Git repository providing files for all versions of PHPMyAdmin

README describing how product files can be extracted

Vulnerability prediction training and testing scripts

(1752) Script to perform cross-project prediction with file metrics

(1979) Script to perform cross-project prediction with text mining features

(1997) Script to train and test within-project prediction models with file metrics

(2212) Script to train and test within-project prediction models with text mining

(520) Script used by cross-project prediction scripts to print results

(577) Script used by within-project prediction scripts to print results

(938) Script to compare and test within-project results

Instructions

To perform the vulnerability prediction experiments using the scripts in this page, several steps must be followed: (1) ensuring that system requirements have been met; (2) downloading the scripts and data into the proper directory structure; (3) setting environment variables; (4) training and testing predictive models; (5) viewing the prediction results; (6) performing cross-project prediction.

System requirements

• A UNIX platform. These scripts have been tested on Mac OS and Linux.
• An installed Java JVM. These scripts have been tested with Oracle Java 1.7.0_51 and 1.7.0_60.
• An installed copy of R. These scripts have been tested with R 3.1.0.
• A copy of Weka. These scripts were tested with Weka 3.7.11.

Downloading scripts and data

All data files and scripts required to perform the experiments are available from this page. Data files should be uncompressed and placed in one directory structure (here, called php-pred), while scripts should be uncompressed and placed in another structure (here, called pred-scripts).

The following files and subdirectories should be created in php-pred:

• php-pred/out/drupal-6_0/drupal-6_0-metrics.arff
• php-pred/out/drupal-6_0/drupal-6_0-tokens.arff
• php-pred/out/moodle-2_0_0/moodle-2_0_0-metrics.arff
• php-pred/out/moodle-2_0_0/moodle-2_0_0-tokens.arff
• php-pred/out/phpmyadmin-3_3_0/phpmyadmin-3_3_0-metrics.arff
• php-pred/out/phpmyadmin-3_3_0/phpmyadmin-3_3_0-tokens.arff

The following files and subdirectories should be created in pred-scripts:

• pred-scripts/xproject-metrics.sh
• pred-scripts/xproject-text.sh
• pred-scripts/xvalid-metrics.sh
• pred-scripts/xvalid-text.sh
• pred-scripts/R/xproject-print.R
• pred-scripts/R/xvalid-print.R
• pred-scripts/R/xvalid-test.R

Setting environment variables

An environment variable PHP_PRED should be set as the path of the php-pred directory created in the previous step. An environment variable WEKA_JAR should be set as the full pathname and filename of the weka.jar file included with Weka.

Testing and training predictive models

Switch to the previously created pred-scripts directory and run the following series of scripts:

Viewing and comparing prediction results

In the same directory, run the following series of scripts, changing ~/php-pred to the actual location of the php-pred directory:

Cross-project prediction

In the same directory, run the following series of scripts: