VFFINDER: A Graph-based Approach for Automated Silent Vulnerability-Fix Identification

TL;DR

VFFINDER is a graph-based tool that uses ASTs and neural networks to automatically detect silent vulnerability fixes in software commits, significantly outperforming existing methods in accuracy and speed.

Contribution

This paper introduces VFFINDER, a novel graph neural network approach that effectively identifies silent vulnerability fixes by analyzing structural code changes.

Findings

VFFINDER achieves 39-83% higher precision than previous methods.

It improves recall by 19-148%, enhancing detection of silent fixes.

The approach speeds up fix identification by up to 47%.

Abstract

The increasing reliance of software projects on third-party libraries has raised concerns about the security of these libraries due to hidden vulnerabilities. Managing these vulnerabilities is challenging due to the time gap between fixes and public disclosures. Moreover, a significant portion of open-source projects silently fix vulnerabilities without disclosure, impacting vulnerability management. Existing tools like OWASP heavily rely on public disclosures, hindering their effectiveness in detecting unknown vulnerabilities. To tackle this problem, automated identification of vulnerability-fixing commits has emerged. However, identifying silent vulnerability fixes remains challenging. This paper presents VFFINDER, a novel graph-based approach for automated silent vulnerability fix identification. VFFINDER captures structural changes using Abstract Syntax Trees (ASTs) and represents them in annotated ASTs. VFFINDER distinguishes vulnerability-fixing commits from non-fixing ones using attention-based graph neural network models to extract structural features. We conducted experiments to evaluate VFFINDER on a dataset of 36K+ fixing and non-fixing commits in 507 real-world C/C++ projects. Our results show that VFFINDER significantly improves the state-of-the-art methods by 39-83% in Precision, 19-148% in Recall, and 30-109% in F1. Especially, VFFINDER speeds up the silent fix identification process by up to 47% with the same review effort of 5% compared to the existing approaches.