CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Results with a Precise Context

TL;DR

CompVPD is an iterative framework that leverages human validation and precise context identification to significantly improve vulnerability patch detection accuracy in open source software.

Contribution

It introduces a multi-granularity slicing and adaptive-expanding algorithms for precise context, enhancing vulnerability patch identification with iterative human validation.

Findings

Improves F1 score by 20% over state-of-the-art methods

Identifies 20 vulnerabilities and 18 fixes from 2,500 commits

Outperforms existing approaches in accuracy and effectiveness

Abstract

Applying security patches in open source software timely is critical for ensuring the security of downstream applications. However, it is challenging to apply these patches promptly because notifications of patches are often incomplete and delayed. To address this issue, existing approaches employ deep-learning (DL) models to identify additional vulnerability patches by determining whether a code commit addresses a vulnerability. Nonetheless, these approaches suffer from low accuracy due to the imprecise context provided for the patches. To provide precise context for patches, we propose a multi-granularity slicing algorithm and an adaptive-expanding algorithm to accurately identify code related to the patches. Additionally, the precise context enables to design an iterative identification framework, CompVPD, which utilizes the human validation results, and substantially improve the effectiveness. We empirically compare CompVPD with four state-of-the-art/practice (SOTA) approaches in identifying vulnerability patches. The results demonstrate that CompVPD improves the F1 score by 20% compared to the best scores of the SOTA approaches. Additionally, CompVPD contributes to security practice by helping identify 20 vulnerability patches and 18 fixes for high-risk bugs from 2,500 recent code commits in five highly popular open-source projects.