SedSVD: Statement-level software vulnerability detection based on Relational Graph Convolutional Network with subgraph embedding

Abstract

Current deep-learning based vulnerability detection methods have been proven more automatic and correct to a certain extent, nonetheless, they are limited to detect at function-level or file-level, which can hinder software developers from acquiring more detailed information and conducting more targeted repairs. Graph-based detection methods have shown dominant performance over others. Unfortunately, the information they reveal has not been fully utilized. We design SedSVD (Subgraph embedding driven Statement-level Vulnerability Detection) with two objectives: (i) to better utilize the information the code-related graphs can reflect; (ii) to detect vulnerabilities at a finer-grained level. In our work, we propose a novel graph-based detection framework that embeds graphs at subgraph-level to realize statement-level detection. It first leverages Code Property Graph (CPG) to learn both semantic and syntactic information from source code, and then selects several center nodes (code elements) in CPG to build their subgraphs. After embedding each subgraph with its nodes and edges, we apply Relational Graph Convolutional Network (RGCN) to process different edges differently. A Multi-Layer Perceptron (MLP) layer is further added to ensure its prediction performance. We conduct our experiments on C/C++ projects from NVD and SARD. Experimental results show that SedSVD achieves 95.15% in F1-measure which proves our work to be more effective. Our work detects at a finer-grained level and achieves higher F1-measure than existing state-of-art vulnerability detection techniques. Besides, we provide a more detailed detection report pointing the specific error code elements within statements.