PatchFinder : A Two-Phase Approach to Security Patch Tracing for Disclosed Vulnerabilities in Open Source Software