Silent Vulnerability-fixing Commit Identification Based on Graph Neural Networks

Abstract

Abstract: In this paper, we present VFFinder, a novel graph-based approach for automated silentvulnerability fix identification. To precisely capture the meaning of code changes, the changed code isrepresented in connection with the related unchanged code. In VFFinder, the structure of the changedcode and related unchanged code are captured and the structural changes are represented in annotatedAbstract Syntax Trees (αAST). VFFinder distinguishes vulnerability-fixing commits from non-fixingones using attention-based graph neural network models to extract structural features expressed inαASTs. We conducted experiments to evaluate VFFinder on a dataset of 11K+ vulnerability fixingcommits in 507 real-world C/C++ projects. Our results show that VFFinder significantly improvesthe state-of-the-art methods by 272–420% in Precision, 22–70% in Recall, and 3.2X–8.2X in F1.Especially, VFFinder speeds up the silent fix identification process by up to 121% with the sameeffort reviewing 50K LOC compared to the existing approaches.Keywords: Silent vulnerability fixes, vulnerability fix identification, code change representation,graph-based model.