MRC-VulLoc: Software source code vulnerability localization based on multi-choice reading comprehension

Abstract

Recently, automatic vulnerability detection approaches based on machine learning (ML) have outperformed traditional rule-based approaches in terms of detection performance. Existing ML-based approaches typically concentrate on function or line granularity, which fail to realize accurate vulnerability localization and are insufficient to support effective root cause analysis of vulnerability. To address this issue, we propose a new approach that maps the multi-choice reading comprehension (MRC) task to the vulnerability localization task at the granularity of vulnerability triggering path named MRC-VulLoc. Initially, we design six large datasets (including C/C++ and Java languages) in the form of MRC. Subsequently, we introduce a novel pre-trained vulnerability localization model, combining the effective code semantic comprehension ability of pre-trained model with the advantages of Bidirectional Short-Term Memory Network (Bi-LSTM) and Convolutional Neural Network (CNN) models. Lastly, we conduct experiments to evaluate the vulnerability localization with several state-of-the-art MRC approaches and vulnerability detectors. Experimental results demonstrate the effectiveness of the proposed datasets in evaluating MRC approaches for vulnerability localization. Furthermore, MRC-VulLoc achieves higher precision on vulnerability localization compared to comparative vulnerability detectors.