Can LLM Prompting Serve as a Proxy for Static Analysis in Vulnerability Detection

TL;DR

This paper explores using large language model prompting as an alternative to static analysis tools for vulnerability detection in code, showing significant improvements in accuracy and reduction of false negatives.

Contribution

It introduces novel prompting strategies that combine natural language instructions with contrastive reasoning, outperforming traditional static analyzers in partial code vulnerability detection.

Findings

Prompting strategies outperform static analyzers in accuracy.

Significant improvements in F1-score and pairwise accuracy.

Reduction in false negative rates by up to 37.6%.

Abstract

Despite their remarkable success, large language models (LLMs) have shown limited ability on safety-critical code tasks such as vulnerability detection. Typically, static analysis (SA) tools, like CodeQL, CodeGuru Security, etc., are used for vulnerability detection. SA relies on predefined, manually-crafted rules for flagging various vulnerabilities. Thus, effectiveness of SA in detecting vulnerabilities depends on human experts and is known to report high error rates. In this study we investigate whether LLM prompting can be an effective alternative to these static analyzers in the partial code setting. We propose prompting strategies that integrate natural language instructions of vulnerabilities with contrastive chain-of-thought reasoning, augmented using contrastive samples from a synthetic dataset. Our findings demonstrate that security-aware prompting techniques can be effective alternatives to the laborious, hand-crafted rules of static analyzers, which often result in high false negative rates in the partial code setting. When leveraging SOTA reasoning models such as DeepSeek-R1, each of our prompting strategies exceeds the static analyzer baseline, with the best strategies improving accuracy by as much as 31.6%, F1-scores by 71.7%, pairwise accuracies by 60.4%, and reducing FNR by as much as 37.6%.