FuncVul: An Effective Function Level Vulnerability Detection Model using LLM and Code Chunk

TL;DR

FuncVul is a novel function-level vulnerability detection model using large language models and code chunks, significantly improving accuracy over existing methods in identifying vulnerabilities in C/C++ and Python code.

Contribution

The paper introduces FuncVul, a code chunk-based vulnerability detection model utilizing GraphCodeBERT, which enhances function-level vulnerability identification accuracy compared to prior approaches.

Findings

Achieves 87-92% accuracy and 86-92% F1 score across datasets.

Outperforms state-of-the-art models with 53.9% higher accuracy.

Effectively detects multiple vulnerabilities within functions.

Abstract

Software supply chain vulnerabilities arise when attackers exploit weaknesses by injecting vulnerable code into widely used packages or libraries within software repositories. While most existing approaches focus on identifying vulnerable packages or libraries, they often overlook the specific functions responsible for these vulnerabilities. Pinpointing vulnerable functions within packages or libraries is critical, as it can significantly reduce the risks associated with using open-source software. Identifying vulnerable patches is challenging because developers often submit code changes that are unrelated to vulnerability fixes. To address this issue, this paper introduces FuncVul, an innovative code chunk-based model for function-level vulnerability detection in C/C++ and Python, designed to identify multiple vulnerabilities within a function by focusing on smaller, critical code segments. To assess the model's effectiveness, we construct six code and generic code chunk based datasets using two approaches: (1) integrating patch information with large language models to label vulnerable samples and (2) leveraging large language models alone to detect vulnerabilities in function-level code. To design FuncVul vulnerability model, we utilise GraphCodeBERT fine tune model that captures both the syntactic and semantic aspects of code. Experimental results show that FuncVul outperforms existing state-of-the-art models, achieving an average accuracy of 87-92% and an F1 score of 86-92% across all datasets. Furthermore, we have demonstrated that our code-chunk-based FuncVul model improves 53.9% accuracy and 42.0% F1-score than the full function-based vulnerability prediction. The FuncVul code and datasets are publicly available on GitHub at https://github.com/sajalhalder/FuncVul.