VFArch\=e: A Dual-Mode Framework for Locating Vulnerable Functions in Open-Source Software

TL;DR

VFArch extasciitilde e is a dual-mode framework that effectively locates vulnerable functions in open-source software, handling cases with or without available patches, and improves vulnerability detection accuracy.

Contribution

The paper introduces VFArch extasciitilde e, a novel dual-mode approach that automatically localizes vulnerable functions in OSS regardless of patch availability, outperforming existing methods.

Findings

Achieves 1.3x and 1.9x higher MRR over baselines in patch-present and patch-absent modes.

Successfully locates vulnerable functions for 43 out of 50 recent vulnerabilities.

Reduces false positives of SCA tools by 78-89%.

Abstract

Software Composition Analysis (SCA) has become pivotal in addressing vulnerabilities inherent in software project dependencies. In particular, reachability analysis is increasingly used in Open-Source Software (OSS) projects to identify reachable vulnerabilities (e.g., CVEs) through call graphs, enabling a focus on exploitable risks. Performing reachability analysis typically requires the vulnerable function (VF) to track the call chains from downstream applications. However, such crucial information is usually unavailable in modern vulnerability databases like NVD. While directly extracting VF from modified functions in vulnerability patches is intuitive, patches are not always available. Moreover, our preliminary study shows that over 26% of VF do not exist in the modified functions. Meanwhile, simply ignoring patches to search vulnerable functions suffers from overwhelming noises and lexical gaps between descriptions and source code. Given that almost half of the vulnerabilities are equipped with patches, a holistic solution that handles both scenarios with and without patches is required. To meet real-world needs and automatically localize VF, we present VFArch\=e, a dual-mode approach designed for disclosed vulnerabilities, applicable in scenarios with or without available patch links. The experimental results of VFArch\=e on our constructed benchmark dataset demonstrate significant efficacy regarding three metrics, achieving 1.3x and 1.9x Mean Reciprocal Rank over the best baselines for Patch-present and Patch-absent modes, respectively. Moreover, VFArch\=e has proven its applicability in real-world scenarios by successfully locating VF for 43 out of 50 latest vulnerabilities with reasonable efforts and significantly reducing 78-89% false positives of SCA tools.