REEF: A Framework for Collecting Real-World Vulnerabilities and Fixes

TL;DR

This paper introduces REEF, a comprehensive framework for collecting and analyzing real-world software vulnerabilities and fixes across multiple languages, improving dataset quality and explanation clarity for automated repair research.

Contribution

The paper presents REEF, a multi-language crawler and quality filtering metrics for high-quality vulnerability-fix datasets, along with a neural model for generating detailed vulnerability explanations.

Findings

Collected 4,466 CVEs and 30,987 patches across 7 languages.

Produced high-quality explanations validated by human experts.

Dataset surpasses existing benchmarks in scale, coverage, and quality.

Abstract

Software plays a crucial role in our daily lives, and therefore the quality and security of software systems have become increasingly important. However, vulnerabilities in software still pose a significant threat, as they can have serious consequences. Recent advances in automated program repair have sought to automatically detect and fix bugs using data-driven techniques. Sophisticated deep learning methods have been applied to this area and have achieved promising results. However, existing benchmarks for training and evaluating these techniques remain limited, as they tend to focus on a single programming language and have relatively small datasets. Moreover, many benchmarks tend to be outdated and lack diversity, focusing on a specific codebase. Worse still, the quality of bug explanations in existing datasets is low, as they typically use imprecise and uninformative commit messages as explanations. To address these issues, we propose an automated collecting framework REEF to collect REal-world vulnErabilities and Fixes from open-source repositories. We develop a multi-language crawler to collect vulnerabilities and their fixes, and design metrics to filter for high-quality vulnerability-fix pairs. Furthermore, we propose a neural language model-based approach to generate high-quality vulnerability explanations, which is key to producing informative fix messages. Through extensive experiments, we demonstrate that our approach can collect high-quality vulnerability-fix pairs and generate strong explanations. The dataset we collect contains 4,466 CVEs with 30,987 patches (including 236 CWE) across 7 programming languages with detailed related information, which is superior to existing benchmarks in scale, coverage, and quality. Evaluations by human experts further confirm that our framework produces high-quality vulnerability explanations.