An ontology-based approach to automate tagging of software artifacts

Abstract: Context: Software engineering repositories contain a wealth of textual information such as source code comments, developers’ discussions, commit messages and bug reports. These free form text descriptions can contain both direct and implicit references to security concerns. Goal: Derive an approach to extract security concerns from textual information that can yield several benefits, such as bug management (e.g., prioritization), bug triage or capturing zero-day attack. Method: Propose a fully automated classification and tagging approach that can extract security tags from these texts without the need for manual training data. Results: We introduce an ontology based Software Security Tagger Framework that can automatically identify and classify cybersecurity-related entities, and concepts in text of software artifacts. Conclusion: Our preliminary results indicate that the framework can successfully extract and classify cybersecurity knowledge captured in unstructured text found in software artifacts.