Learning Graph-based Patch Representations for Identifying and Assessing Silent Vulnerability Fixes

TL;DR

This paper introduces GRAPE, a graph-based neural network framework that captures structural code information to improve identification and assessment of silent vulnerability fixes in software dependencies.

Contribution

GRAPE provides a novel unified graph-based representation for vulnerability patches, enhancing understanding of patch intent and impact by incorporating structural code information.

Findings

Outperforms baseline methods in vulnerability fix identification

Reduces false positives and omissions in vulnerability detection

Accurately classifies vulnerability types and severity levels

Abstract

Software projects are dependent on many third-party libraries, therefore high-risk vulnerabilities can propagate through the dependency chain to downstream projects. Owing to the subjective nature of patch management, software vendors commonly fix vulnerabilities silently. Silent vulnerability fixes cause downstream software to be unaware of urgent security issues in a timely manner, posing a security risk to the software. Presently, most of the existing works for vulnerability fix identification only consider the changed code as a sequential textual sequence, ignoring the structural information of the code. In this paper, we propose GRAPE, a GRAph-based Patch rEpresentation that aims to 1) provide a unified framework for getting vulnerability fix patches representation; and 2) enhance the understanding of the intent and potential impact of patches by extracting structural information of the code. GRAPE employs a novel joint graph structure (MCPG) to represent the syntactic and semantic information of fix patches and embeds both nodes and edges. Subsequently, a carefully designed graph convolutional neural network (NE-GCN) is utilized to fully learn structural features by leveraging the attributes of the nodes and edges. Moreover, we construct a dataset containing 2251 silent fixes. For the experimental section, we evaluated patch representation on three tasks, including vulnerability fix identification, vulnerability types classification, and vulnerability severity classification. Experimental results indicate that, in comparison to baseline methods, GRAPE can more effectively reduce false positives and omissions of vulnerability fixes identification and provide accurate vulnerability assessments.