VFCFinder: Seamlessly Pairing Security Advisories and Patches

TL;DR

VFCFinder is a tool that accurately links security advisories to their corresponding patches across multiple programming languages, significantly improving vulnerability data quality and aiding software supply chain security.

Contribution

The paper introduces VFCFinder, a novel NL-PL model-based tool that effectively pairs advisories with patches, outperforming existing methods and filling missing data in vulnerability databases.

Findings

96.6% recall within Top-5 VFCs

80.0% Top-1 recall accuracy

Generalizes to nine programming languages

Abstract

Security advisories are the primary channel of communication for discovered vulnerabilities in open-source software, but they often lack crucial information. Specifically, 63% of vulnerability database reports are missing their patch links, also referred to as vulnerability fixing commits (VFCs). This paper introduces VFCFinder, a tool that generates the top-five ranked set of VFCs for a given security advisory using Natural Language Programming Language (NL-PL) models. VFCFinder yields a 96.6% recall for finding the correct VFC within the Top-5 commits, and an 80.0% recall for the Top-1 ranked commit. VFCFinder generalizes to nine different programming languages and outperforms state-of-the-art approaches by 36 percentage points in terms of Top-1 recall. As a practical contribution, we used VFCFinder to backfill over 300 missing VFCs in the GitHub Security Advisory (GHSA) database. All of the VFCs were accepted and merged into the GHSA database. In addition to demonstrating a practical pairing of security advisories to VFCs, our general open-source implementation will allow vulnerability database maintainers to drastically improve data quality, supporting efforts to secure the software supply chain.