CommitShield: Tracking Vulnerability Introduction and Fix in Version Control Systems

TL;DR

CommitShield leverages static analysis and large language models to improve the detection of vulnerability introduction and fixes in version control commits, significantly outperforming existing methods.

Contribution

It introduces a novel approach combining static analysis with LLMs to enhance vulnerability detection accuracy in code commits.

Findings

Recall improved by 76%-87% in fix detection

F1-score increased by 15%-27% in introduction detection

Outperforms state-of-the-art methods significantly

Abstract

Version control systems are commonly used to manage open-source software, in which each commit may introduce new vulnerabilities or fix existing ones. Researchers have developed various tools for detecting vulnerabilities in code commits, but their performance is limited by factors such as neglecting descriptive data and challenges in accurately identifying vulnerability introductions. To overcome these limitations, we propose CommitShield, which combines the code analysis capabilities of static analysis tools with the natural language and code understanding capabilities of large language models (LLMs) to enhance the accuracy of vulnerability introduction and fix detection by generating precise descriptions and obtaining rich patch contexts. We evaluate CommitShield using the newly constructed vulnerability repair dataset, CommitVulFix, and a cleaned vulnerability introduction dataset. Experimental results indicate that CommitShield improves recall by 76%-87% over state-of-the-art methods in the vulnerability fix detection task, and its F1-score improves by 15%-27% in the vulnerability introduction detection task.