CGP-Tuning: Structure-Aware Soft Prompt Tuning for Code Vulnerability Detection

TL;DR

CGP-Tuning introduces a structure-aware soft prompt tuning method that leverages code graph semantics to improve vulnerability detection in large language models, achieving better accuracy and efficiency.

Contribution

It proposes a novel type-aware embedding and an efficient cross-modal alignment module for graph-enhanced prompt tuning tailored to code vulnerability detection.

Findings

Outperforms baseline by 4 percentage points in accuracy

Outperforms zero-shot prompting by 15 percentage points

Maintains practical inference speed

Abstract

Large language models (LLMs) have been proposed as powerful tools for detecting software vulnerabilities, where task-specific fine-tuning is typically employed to provide vulnerability-specific knowledge to the LLMs. However, existing fine-tuning techniques often treat source code as plain text, losing the graph-based structural information inherent in code. Graph-enhanced soft prompt tuning addresses this by translating the structural information into contextual cues that the LLM can understand. However, current methods are primarily designed for general graph-related tasks and focus more on adjacency information, they fall short in preserving the rich semantic information (e.g., control/data flow) within code graphs. They also fail to ensure computational efficiency while capturing graph-text interactions in their cross-modal alignment module. This paper presents CGP-Tuning, a new code graph-enhanced, structure-aware soft prompt tuning method for vulnerability detection. CGP-Tuning introduces type-aware embeddings to capture the rich semantic information within code graphs, along with an efficient cross-modal alignment module that achieves linear computational costs while incorporating graph-text interactions. It is evaluated on the latest DiverseVul dataset and three advanced open-source code LLMs, CodeLlama, CodeGemma, and Qwen2.5-Coder. Experimental results show that CGP-Tuning delivers model-agnostic improvements and maintains practical inference speed, surpassing the best graph-enhanced soft prompt tuning baseline by an average of four percentage points and outperforming non-tuned zero-shot prompting by 15 percentage points.