pith. sign in

arxiv: 2408.07321 · v2 · pith:WUXJDILFnew · submitted 2024-08-14 · 💻 cs.SE · cs.CR

VERCATION: Precise Vulnerable Open-source Software Version Identification based on Static Analysis and LLM

classification 💻 cs.SE cs.CR
keywords codeversionsvulnerablevercationanalysisclonedetectionidentify
0
0 comments X
read the original abstract

Open-source software (OSS) has experienced a surge in popularity, attributed to its collaborative development model and cost-effective nature. However, the adoption of specific software versions in development projects may introduce security risks when these versions bring along vulnerabilities. Current methods of identifying vulnerable versions typically analyze and extract the code features involved in vulnerability patches using static analysis with pre-defined rules. They then use code clone detection to identify the vulnerable versions. These methods are hindered by imprecision due to (1) the exclusion of vulnerability-irrelevant code in the analysis and (2) the inadequacy of code clone detection. This paper presents VERCATION, an approach designed to identify vulnerable versions of OSS written in C/C++. VERCATION combines program slicing with a Large Language Model (LLM) to identify vulnerability-relevant code from vulnerability patches. It then backtracks historical commits to gather previous modifications of identified vulnerability-relevant code. We propose code clone detection based on expanded and normalized ASTs to compare the differences between pre-modification and post-modification code, thereby locating the vulnerability-introducing commit (vic) and enabling the identification of the vulnerable versions between the vulnerability-fixing commit and the vic. We curate a dataset linking 122 OSS vulnerabilities and 1,211 versions to evaluate VERCATION. On this dataset, our approach achieves an F1 score of 93.1%, outperforming current state-of-the-art methods. More importantly, VERCATION detected 202 incorrect vulnerable OSS versions in NVD reports.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Mapping NVD Records to Their Vulnerability-fixing Commits: How Hard is It?

    cs.SE 2025-06 accept novelty 4.0

    Empirical study finds Git references enable over 86% success in mapping NVD records to vulnerability-fixing commits while non-Git references succeed under 14%, yielding an automated pipeline and external mining that t...