Detecting Protracted Vulnerabilities in Open Source Projects

TL;DR

This paper analyzes long-standing vulnerabilities in open-source projects, evaluates current detection tools, and introduces DeeptraVul, a new approach that significantly improves detection coverage of protracted vulnerabilities.

Contribution

It constructs a dataset of protracted vulnerabilities, analyzes their causes, and proposes DeeptraVul, an enhanced detection method leveraging multiple artifacts and LLMs, outperforming existing tools.

Findings

Current SOTA tools detect only 44% of protracted vulnerabilities.

DeeptraVul increases detection coverage by 14% overall.

DeeptraVul achieves 90% coverage on its specific vulnerability subset.

Abstract

Timely resolution and disclosure of vulnerabilities are essential for maintaining the security of open-source software. However, many vulnerabilities remain unreported, unpatched, or undisclosed for extended periods, exposing users to prolonged security threats. While various vulnerability detection tools exist, they primarily focus on predicting or identifying known vulnerabilities, often failing to capture vulnerabilities that experience significant delays in resolution. In this study, we examine the vulnerability lifecycle by analyzing protracted vulnerabilities (PCVEs), which remain unresolved or undisclosed over long periods. We construct a dataset of PCVEs and conduct a qualitative analysis to uncover underlying causes of delay. To assess current automated solutions, we evaluate four state-of-the-art (SOTA) vulnerability detectors on our dataset. These tools detect only 1,059 out of 2,402 PCVEs, achieving approximately 44% coverage. To address this limitation, we propose DeeptraVul, an enhanced detection approach designed specifically for protracted cases. DeeptraVul integrates multiple development artifacts and code signals, supported by a Large Language Model (LLM)-based summarization component. For comparison, we also evaluate a standalone LLM. Our results show that DeeptraVul improves detection performance, achieving a 14% increase in coverage across all PCVEs and reaching 90% coverage on the DeeptraVul PCVE subset, outperforming existing SOTA detectors and standalone LLM based inference.