VulWeaver: Weaving Broken Semantics for Grounded Vulnerability Detection

TL;DR

VulWeaver is an innovative LLM-based method that enhances program semantics understanding for more accurate vulnerability detection, outperforming existing approaches on multiple datasets and real-world projects.

Contribution

It introduces a novel approach combining enhanced dependency graphs, holistic context extraction, and meta-prompting to improve grounded vulnerability detection accuracy.

Findings

Achieved 0.75 F1-score on PrimeVul4J, outperforming baselines by up to 23%.

Detected 26 vulnerabilities in Java projects, with 15 confirmed by developers.

Identified 40 vulnerabilities in an industrial setting, demonstrating practical effectiveness.

Abstract

Detecting vulnerabilities in source code remains critical yet challenging, as conventional static analysis tools construct inaccurate program representations, while existing LLM-based approaches often miss essential vulnerability context and lack grounded reasoning. To mitigate these challenges, we introduce VulWeaver, a novel LLM-based approach that weaves broken program semantics into accurate representations and extracts holistic vulnerability context for grounded vulnerability detection. Specifically, VulWeaver first constructs an enhanced unified dependency graph (UDG) by integrating deterministic rules with LLM-based semantic inference to address static analysis inaccuracies. It then extracts holistic vulnerability context by combining explicit contexts from program slicing with implicit contexts, including usage, definition, and declaration information. Finally, VulWeaver employs meta-prompting with vulnerability type specific expert guidelines to steer LLMs through systematic reasoning, aggregated via majority voting for robustness. Extensive experiments on PrimeVul4J dataset have demonstrated that VulWeaver achieves a F1-score of 0.75, outperforming state-of-the-art learning-based, LLM-based, and agent-based baselines by 23%, 15%, and 60% in F1-score, respectively. VulWeaver has also detected 26 true vulnerabilities across 9 realworld Java projects, with 15 confirmed by developers and 5 CVE identifiers assigned. In industrial deployment, VulWeaver identified 40 confirmed vulnerabilities in an internal repository.