Tools that alert developers about library vulnerabilities depend on accurate, up-to-date vulnerability databases which are maintained by security researchers. These databases record the libraries related to each vulnerability. However, the vulnerability reports may not explicitly list every library and human analysis is required to determine all the relevant libraries. Human analysis may be slow and expensive, which motivates the need for automated approaches. Researchers and practitioners have proposed to automatically identify libraries from vulnerability reports using extreme multi-label learning (XML). While state-of-the-art XML techniques showed promising performance, their experiment settings do not practically fit what happens in reality. Previous studies randomly split the vulnerability reports data for training and testing their models without considering the chronological order of the reports. This may unduly train the models on chronologically newer reports while testing the models on chronologically older ones. However, in practice, one often receives chronologically new reports, which may be related to previously unseen libraries. Under this practical setting, we observe that the performance of current XML techniques declines substantially, e.g., F1 decreased from 0.7 to 0.24 under experiments without and with consideration of chronological order of vulnerability reports. We propose a practical library identification approach, namely CHRONOS, based on zero-shot learning. The novelty of CHRONOS is three-fold. First, CHRONOS fits into the practical pipeline by considering the chronological order of vulnerability reports. Second, CHRONOS enriches the data of the vulnerability descriptions and labels using a carefully designed data enhancement step. Third, CHRONOS exploits the temporal ordering of the vulnerability reports using a cache to prioritize prediction of...

翻译：用于向开发者预警库漏洞的工具依赖于由安全研究人员维护的准确且最新的漏洞数据库。这些数据库记录了每个漏洞所涉及的库。然而，漏洞报告可能并未明确列出所有库，需要人工分析来确定所有相关库。人工分析可能耗时且昂贵，因此亟需自动化方法。研究人员和实践者已提出利用极端多标签学习（XML）从漏洞报告中自动识别库。尽管最先进的XML技术展现了有前景的性能，但其实验设置并不符合实际场景。以往研究在划分漏洞报告数据以训练和测试模型时，随机分割数据而未考虑报告的时间顺序。这可能导致模型不当地将时间较新的报告用于训练，而用时间较旧的报告进行测试。然而在实践中，我们常接收到时间较新的报告，这些报告可能涉及先前未见过的库。在此实际设定下，我们观察到当前XML技术的性能显著下降：例如，在不考虑与考虑漏洞报告时间顺序的实验对比中，F1值从0.7降至0.24。我们提出一种基于零样本学习的实用库识别方法CHRONOS。CHRONOS的创新性体现在三个方面：第一，通过考虑漏洞报告的时间顺序，使其符合实际流程；第二，通过精心设计的数据增强步骤丰富漏洞描述和标签数据；第三，利用缓存机制赋予漏洞报告时间顺序优先级的预测策略...